National Cyber Security Awareness Month

National Cyber Security Month

was created as a collaboratiCybersecuritymonthve effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.

Our focus today is with small to medium businesses. Homeland security has created a Cyber Security Guide that will be used as a reference for today’s talk.

Yes, this is the same group that is responsible for airline security. I know many people see things that Homeland security does not do well, but their Cyber Security Planning guide is good place to start a conversation.

Businesses large and small can and need to do more to protect against growing cyber threats. As larger companies take steps to secure their systems, less secure small businesses are easier targets for cyber criminals.


Where do you start?


  • Identify and categorize your business information.
    • Your customer list is a key part of the business. Does everyone have access to this list? Do you restrict how this information is used?
    • Your sub-contractors or vendors are an important asset to your business.
    • Your business processes can be unique to your operation.
    • What other information would you consider your intellectual property?
      • Customer sales records
      • Credit card transactions
      • Medical records
      • Employee payroll records
      • Email lists
      • Marketing plans
      • Business leads
      • Produce design and development plans
    • Who should have access to your business information? Is it all stored where everyone can see all of your business? Is it encrypted so only the right people can read or change the data?



  • Company Policies, setting the rules for business conduct
    • Written policies are necessary in the employee handbook for these topics
      • Computer and Internet usage
        • You have to state that the equipment the business purchased are for business use. Unless it is in writing an employee can use any of the equipment for their own use.
      • Social media policy, even if you don’t use social media in your business, someone is talking about you.
      • Email usage policy including that you have the right to monitor company email usage. What to say and how to say it.
      • Privacy Policy for employee, customer or client information
        • Personally Identifiable Information
          • Name, address, social security number, email address, home phone number, cell phone number, date of birth
        • Personal health information
        • Customer Information
          • Names, address, payment information, credit card numbers, shipping information, purchase history, buying preferences



  • Train employees and yourself frequently, 2-3 times a year
    • Social engineering, also known as “pretexting,” is used by many criminals, both online and off, to trick unsuspecting people into giving away their personal information and/or installing malicious software onto their computers, devices or networks. Social engineering is successful because the bad guys are doing their best to make their work look and sound legitimate, sometimes even helpful, which makes it easier to deceive users.
    • What to look for in an email message that is really a phishing attempt
    • What information to give out to a telephone inquiry to your business. Find out who you are talking with. What do they need to know and why.



Secure your business network

You pay for the office, Internet connection, email service, and computers. You set the rules with your company policies.

What is multi layered security?


  • Don’t rely on just one technology to stay safe on the Internet
    • Just having an anti-virus program on your computer is not enough to prevent data loss or a compromised network or computer.
      • You can scan for viruses and malware at your Internet connection with one vendor and scan the computers, or end points with another vendor.
    • Control outbound Internet access, things that are not done on retail based routers.
      • Do you need to reach web sites in China to run your business? Do you need to talk with all of China or just a few places where you have contacts? You can apply this process to all 252 county codes on the Internet.
      • Filter non-business access outbound
        • Porn sites, hate sites, shopping sites, social media sites
        • Do you need to run a Chinese peer to peer application specifically centered on users uploading media content for other users to view using their application? If not then stop high risk traffic from exiting your network. Block 275 high or very high risk network traffic protocols that you just don’t use. Retail shelf routers don’t care or know what protocols( network language) the packets are using.
        • Log access to network to have an audit trail when something goes wrong.
      • Keep your software current. The Java program alone has had 101 security patches in the last year. The typical computer has 67 programs loaded that could become back doors to hackers if you don’t have the latest security patches.  A software patch management program will get you status for every machine in your office.
      • Passswords
        • If you have not changed your password this year how many people might have access to your information.
          • Change every time you have an employee leave. You change the locks or physical codes when someone leaves, why not your electronic locks
          • Use a password manager; you have to many passwords to remember today.
          • Don’t use a password on the list of the 1000 most common passwords
          • Use a pass phrase or sentence to unlock your password manager.
          • Two factor authentication methods, which require two types of evidence that you are who you claim to be, are safer than using just static passwords
            • Google and Microsoft have phone apps that will send authentication codes when you login from another location.
            • LastPass sends an email to your registered account when you access the service from a new location.
          • WiFi
            • WiFi Protected Setup
              • Created for home users who know little of wireless security and may be intimidated by the available security options to set up Wi-Fi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases.
              • Wi-Fi protected setup is susceptible to attack because of a basic design flaw.  According to Computer Emerency Readyness Team, CERT, they are “unaware of a practical solution to this problem.”
              • September 2014 a security researcher, Dominique Bongard, demonstrated that  WPS could also be cracked offline using a computer.  This process extracts the third message from one failed access to the router.  This number is used to decode the 8 digit pin for the wireless access point.  Your access point no longer needs more than one unsuccessful log in to reveal it’s permanent secret code.
              • Is you WiFi access turned on 24 X 7 or just during the office hours?
              • Is you WiFi connected to your network with business information?
              • All these things happen with retail routers made for home use.
              • WLAN access should be restricted to specific devices and specific users to the greatest extent possible while meeting your company’s business needs.
              • Are you using the default password on your router?
                • Botnets capture routers with default passwords to disrupt Internet traffic.
              • Remote Access
                • If your company needs to provide remote access to your company’s internal network over the Internet, one popular and secure option is to employ a secure Virtual Private Network (VPN) system accompanied by strong two-factor authentication, using either hardware or software tokens.
                  • The easier the stores make it for managers to remotely handle payment transactions, the easier it’s also for thieves.
                  • Trustwave last year estimated that 63% of 450 data breaches studied by the security vendor were caused by security vulnerabilities that were introduced by a third party. Don’t become a “Target”.
                • All those phones and tablets
                  • You know everyone in your office has a smart phone. No one may have exactly the same phone unless you issued all of the devices. Now your company email is on each of those devices. When someone leaves the company how to do wipe the old company email off the device? Or do you just let them walk off with every customer contact that exists in your Exchange server?
                • USB drives
                  • Do you allow anyone to plug in a USB device to a machine on your network?

When you become one of the 60%.

According to the Verizon data survey 60% of data breaches occur in companies with less than 100 employees. What do you need to do now?

  • Arizona law applies to all non-encrypted personally identifiable information.
    • Name and social security number, all employee names have social security numbers in your payroll database.
    • Name and driver’s license or state id number.
    • Name and any of the following
      • Debit card number, credit card number, financial account number, password, security code or access code that would allow account access.
    • Must conduct a prompt investigation to determine if there has been a data breach. If this is true, you need to notify anyone that maybe effected. This notification occurs after law enforcement determines that it will not compromise their investigation.
      • This includes the loss of a laptop, notebook or flash drive with unencrypted data on the device.