These recommendations are not regulations, mandates, or legal opinions.
They provide a brief and incomplete summary of several best practices
that help manage the risks posed by cyber-security threats facing small
businesses and a response plan for a cyber incident.
Following is a 25-item checklist summary of these practical
recommendations for businesses on managing cyber-security risks.
Comprehensively review the types of data businesses
have stored on their information technology (IT) systems, on-site as
well as off-site, and with third parties (including backup tapes and
cloud computing solutions) and then eliminate what is not really needed.
Encrypt data on business systems (e.g., laptops and
desktops) and use strong encryption for wireless transmission.
Separate machines that handle sensitive information
(e.g., payroll or point of sale functions) from machines involved with
routine services (e.g., updating Facebook and checking email).
Provide employees access only to those systems and
the specific information that are necessary to do their jobs; do not
provide any one employee access to all data or access to all systems
(financial, personnel, inventory, manufacturing, etc.).
Disable and purge old user accounts (e.g., user
accounts should be disabled at the time of an employee's departure).
Back up important data on each computer used in the
business on a monthly basis and test the backups to ensure they can be
read.
Securely dispose of stored data (e.g., when
disposing of old computers, remove the hard disks and destroy them; when
disposing of old media, destroy any containing sensitive business or
personal data).
Engage in online banking using a secure browser
connection (indicated by "https" and/or a lock visible in the address
bar or in the lower right corner of the Web browser window) and in the
private mode of the Web browser. Erase the Web browser cache, temporary
Internet files, cookies, and history afterward. Use the security options
offered by the business's financial institution (e.g., text or email
notifications about account activities, bank account with two-factor
authentication for online banking). Two-factor authentication adds an autogenerated passcode that is only valid for a short period of time and
is required in addition to login credentials in order to gain access to
the online account. Do not allow a single individual to both initiate
and approve financial transactions. Set limits on the amount that can be
wired from bank accounts. Depending on business needs, consider
asking the bank to require two executive team signatures before sending
wire transfers overseas.
Deploy regularly updated firewalls, antivirus, and
other Internet security solutions covering all digital devices, from
desktop computers to smartphones to tablets, as well as home systems
that employees may use for business, including the ability to remotely
locate or wipe a missing device and the ability to identify and block
never seen before attacks using technologies that analyze behavior
and/or employ virtualization tools. For broadband Internet access,
install and keep operational a hardware firewall between the internal
network and the Internet.
Educate and train employees about cyber security (e.g., never
click on a hyperlink or open a file from an unknown or untrusted source)
and request that they sign a statement that they understand the
business's policies, that they will follow those policies, and that they
understand the penalties for not following those policies.
Change any default username or passwords for computers,
printers, routers, smartphones, or other devices; use strong passwords
(e.g., at least eight characters long; avoid using personal information)
and complexity (consisting of a random sequence of letters, numbers, and
special characters). Do not use the same passwords for personal and
business use. Do not write all passwords down in one place. Change
passwords frequently (every 3 months is a good rule of thumb). Do not
let the Internet browser remember passwords.
Provide each employee with an individual account with a unique
username and password.
Keep all operating systems and software up to date (e.g.,
patches and updates). Avoid software from any unknown source. Remove or
uninstall software that no longer is being used.
Ensure that computer accounts used by employees do not have
administrative privileges.
Enforce a social media policy to prevent employees from
posting corporate information on third-party social networking services
(e.g., Facebook, Twitter, LinkedIn, etc.).
Perform background checks on key employees (all executives,
all finance personnel, and anyone with administrator access (e.g., IT
staff)).
Ensure corporate wireless networks are properly secured.
Do not use public (i.e., noncorporate) wireless connections to
conduct business (e.g., checking email), unless using a secure
connection (e.g., corporate virtual private network access and/or a
secure sockets layer-protected Web email server).
Prepare an incident response plan for when a cyber incident
happens.
Pick an incident team and assign a team leader; this team
should include an executive and an in-house counsel if there is one.
Define roles and responsibilities so that everyone is clear as
to who is responsible for what should an incident arise. Communicate to
everyone at the business who to contact if they suspect a cyber incident
has occurred (or is occurring). Gather after-hours contact information
for incident team members and distribute this information to all staff.
Consider channels of communications that do not involve
business-provided phones and email.
Outline the basic steps of the incident response plan by
establishing checklists and clear action items.
Prepare specific policies and procedures to implement in
specific situations (i.e., each type of incident that the business might
experience: a lost computer, smartphone, or thumb drive containing
unencrypted data, an external data breach or theft of intellectual
property, malware, cyber extortion, etc.); for each scenario, prepare an
easily accessible quick-response guide.
Form relationships with key third parties (e.g., law
enforcement and cyber-security experts) and have their contact
information handy.
Address in an incident response plan procedures necessary to
adequately document the details of a particular incident (including a
timeline of events, preservation of compromised systems if necessary, as
well as who was involved and the response) and the process to review the
preventative cyber-security measures and the plan after every
cyber incident. If the incident involved the possible disclosure of
unencrypted personally identifiable information or payment card
information, consult with a lawyer.