Guidance for Managing Cyber-Security Risks

In February 2014, the California Attorney General, in collaboration with the California Chamber of Commerce and the mobile security company Lookout, issued a guide titled "Cybersecurity in the Golden State" with recommendations for California businesses (especially small to midsize businesses) on managing cyber-security risks. Businesses elsewhere also should review and consider this guidance and these recommendations.

These recommendations are not regulations, mandates, or legal opinions. They provide a brief and incomplete summary of several best practices that help manage the risks posed by cyber-security threats facing small businesses and a response plan for a cyber incident.

Following is a 25-item checklist summary of these practical recommendations for businesses on managing cyber-security risks.

1. Comprehensively review the types of data businesses have stored on their information technology (IT) systems, on-site as well as off-site, and with third parties (including backup tapes and cloud computing solutions) and then eliminate what is not really needed.
2. Encrypt data on business systems (e.g., laptops and desktops) and use strong encryption for wireless transmission.
3. Separate machines that handle sensitive information (e.g., payroll or point of sale functions) from machines involved with routine services (e.g., updating Facebook and checking email).
4. Provide employees access only to those systems and the specific information that are necessary to do their jobs; do not provide any one employee access to all data or access to all systems (financial, personnel, inventory, manufacturing, etc.).
5. Disable and purge old user accounts (e.g., user accounts should be disabled at the time of an employee's departure).
6. Back up important data on each computer used in the business on a monthly basis and test the backups to ensure they can be read.
7. Securely dispose of stored data (e.g., when disposing of old computers, remove the hard disks and destroy them; when disposing of old media, destroy any containing sensitive business or personal data).
8. Engage in online banking using a secure browser connection (indicated by "https" and/or a lock visible in the address bar or in the lower right corner of the Web browser window) and in the private mode of the Web browser. Erase the Web browser cache, temporary Internet files, cookies, and history afterward. Use the security options offered by the business's financial institution (e.g., text or email notifications about account activities, bank account with two-factor authentication for online banking). Two-factor authentication adds an autogenerated passcode that is only valid for a short period of time and is required in addition to login credentials in order to gain access to the online account. Do not allow a single individual to both initiate and approve financial transactions. Set limits on the amount that can be wired from bank accounts. Depending on business needs, consider asking the bank to require two executive team signatures before sending wire transfers overseas.
9. Deploy regularly updated firewalls, antivirus, and other Internet security solutions covering all digital devices, from desktop computers to smartphones to tablets, as well as home systems that employees may use for business, including the ability to remotely locate or wipe a missing device and the ability to identify and block never seen before attacks using technologies that analyze behavior and/or employ virtualization tools. For broadband Internet access, install and keep operational a hardware firewall between the internal network and the Internet.
10. Educate and train employees about cyber security (e.g., never click on a hyperlink or open a file from an unknown or untrusted source) and request that they sign a statement that they understand the business's policies, that they will follow those policies, and that they understand the penalties for not following those policies.
11. Change any default username or passwords for computers, printers, routers, smartphones, or other devices; use strong passwords (e.g., at least eight characters long; avoid using personal information) and complexity (consisting of a random sequence of letters, numbers, and special characters). Do not use the same passwords for personal and business use. Do not write all passwords down in one place. Change passwords frequently (every 3 months is a good rule of thumb). Do not let the Internet browser remember passwords.
12. Provide each employee with an individual account with a unique username and password.
13. Keep all operating systems and software up to date (e.g., patches and updates). Avoid software from any unknown source. Remove or uninstall software that no longer is being used.
14. Ensure that computer accounts used by employees do not have administrative privileges.
15. Enforce a social media policy to prevent employees from posting corporate information on third-party social networking services (e.g., Facebook, Twitter, LinkedIn, etc.).
16. Perform background checks on key employees (all executives, all finance personnel, and anyone with administrator access (e.g., IT staff)).
17. Ensure corporate wireless networks are properly secured.
18. Do not use public (i.e., noncorporate) wireless connections to conduct business (e.g., checking email), unless using a secure connection (e.g., corporate virtual private network access and/or a secure sockets layer-protected Web email server).
19. Prepare an incident response plan for when a cyber incident happens.
20. Pick an incident team and assign a team leader; this team should include an executive and an in-house counsel if there is one.
21. Define roles and responsibilities so that everyone is clear as to who is responsible for what should an incident arise. Communicate to everyone at the business who to contact if they suspect a cyber incident has occurred (or is occurring). Gather after-hours contact information for incident team members and distribute this information to all staff. Consider channels of communications that do not involve business-provided phones and email.
22. Outline the basic steps of the incident response plan by establishing checklists and clear action items.
23. Prepare specific policies and procedures to implement in specific situations (i.e., each type of incident that the business might experience: a lost computer, smartphone, or thumb drive containing unencrypted data, an external data breach or theft of intellectual property, malware, cyber extortion, etc.); for each scenario, prepare an easily accessible quick-response guide.
24. Form relationships with key third parties (e.g., law enforcement and cyber-security experts) and have their contact information handy.
25. Address in an incident response plan procedures necessary to adequately document the details of a particular incident (including a timeline of events, preservation of compromised systems if necessary, as well as who was involved and the response) and the process to review the preventative cyber-security measures and the plan after every cyber incident. If the incident involved the possible disclosure of unencrypted personally identifiable information or payment card information, consult with a lawyer.

Businesses also are encouraged to review the "National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity," a voluntary risk-based set of industry standards and best practices for organizations to use in managing cyber-security risks that was issued in February 2014, as well as the payment card industry data security standards in the case of businesses with credit card payment information.