The California Attorney General’s Office has issued a report, Cybersecurity in the Golden State: How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents. Here’s the Executive Summary:
Executive Summary
Relatively small investments in cybersecurity preparedness can yield significant risk reductions. Every business in California should follow the steps summarized below, and discussed in greater length throughout this Guide, in order to reduce the chance they will be a victim of cybercrime. These measures, however, cannot guarantee that businesses will avoid cybersecurity incidents, and the Guide therefore contains recommendations for how to prepare an effective cybersecurity incident response plan.
1. Assume You’re a Target
Small size and relative anonymity no longer ensure that you will be left alone. Any company, whether big or small, can be the victim of cybercrime. Just as it has become second nature for most of us to lock our front doors when we leave the house, assume you are a potential target and take basic precautions to protect yourself and your company.
2. Lead by Example
Successful cybersecurity measures require the leadership and dedication of business owners. Cybersecurity is not simply the domain of the “IT person”; executive management has to get involved. Small business owners are uniquely positioned to ensure that they and their employees are following good cybersecurity practices. They are also in the best position to understand their company’s network and all the devices that connect to it. This requires dedicating the time and resources necessary to ensure the safety and security of their information assets.
3. Map and Encrypt Your Data
To effectively protect your data, you first need to know the types of data you have and the location of that data. Comprehensively review the data you have stored on your IT systems, both on site and off, and with third parties (include backup storage and cloud computing solutions in your data mapping project). Once you know what data you have and where it is, take a hard look and get rid of what you don’t really need.
4. Encrypt Your Data
Encrypt the data you need to keep. Encryption is an important step you can take to protect the data you have on your systems. In basic terms, encrypting data – whether it’s email, photographs, memos or any other type of electronically-stored information – encodes it so that those without the encryption keys cannot read it. Strong encryption technology is now commonly available for free, and it is easy to use. The great advantage to encrypting your data is that it renders it far less susceptible to hacking. Finally, machines that handle sensitive information like payroll or point of sale (POS) functions should ideally be on networks or systems separate from machines involved with routine services, like updating Facebook and checking email.
5. Bank Securely
It is essential that small business owners put security first when they engage in online banking. This means that online banking should only be performed using a secure browser connection (indicated by “https” and/or a lock visible in the address bar or in the lower right corner of your web browser window). Online banking sessions should be conducted in the private mode of your web browser and you should erase your web browser cache, temporary Internet files, cookies, and history afterwards so that if your system is compromised that information will not be accessible to cybercriminals. In addition, take advantage of the security options offered by your financial institution. Examples include using two–factor authentication to access your account, requiring two authorized individuals to sign off on every transfer of funds, and setting up account notifications by email or text message when certain higher–risk activities occur on your account.
Also, we recommend setting limits on wire transfers. Sophisticated transnational criminal organizations are now routinely hacking businesses’ computers and wiring large sums overseas where they cannot be recovered. To prevent this, set limits on the amount that can be wired from your accounts, and (depending on your business needs) consider asking your bank to require two executive team signatures before sending wire transfers overseas.
6. Defend Yourself
In choosing security solutions, guard against single points of failure in any specific technology or protection method. This should include the deployment of regularly updated firewalls, antivirus, and other internet security solutions that span all digital devices, from desktop computers, to smartphones, to tablets. Devices connected to your network should be secured by multiple layers of defensive technologies that include, but are not limited to, antivirus technology. Seek out comprehensive security solutions that approach security from multiple perspectives so that you are able to manage risk from the full spectrum of threats you may encounter. Useful capabilities include the ability to remotely locate or wipe a device that’s gone missing and the ability to identify and block never seen before attacks using technologies that analyze behavior and/or employ virtualization tools.
7. Educate Employees
Raise employees’ awareness about the risks of cyberthreats, mechanisms for mitigating the risk, and the value of your businesses’ intellectual property and data. Your employees are the first line of defense, and good security training and procedures can reduce the risk of accidental data loss and other insider risks.
8. Be Password Wise
Change any default username or passwords for computers, printers, routers, smartphones, or other devices. ANYTHING is better than the default. Specifically, you should use strong passwords and don’t let your Internet browser remember your passwords.
9. Operate Securely
Keep your systems secure by using layered security defenses and keeping all operating systems and software up to date. Don’t install software you did not specifically seek out and don’t download software from untrusted or unknown sources. Also remember to remove or uninstall software you are no longer using.
10. Plan for the Worst
Every small business should put together a disaster recovery plan so that when a Cyberincident happens, your resources are used wisely and efficiently. Pick an incident response team and assign a leader. Make sure the team includes a member of executive management. Define roles and responsibilities so that everyone is clear as to who is responsible for what should an incident arise. Communicate to everyone at your company who to contact if they suspect a Cyberincident has occurred (or is occurring). Gather and distribute after-hours contact information for your incident response team. Next, outline the basic steps of your incident response plan by establishing checklists and clear action items.
Read the full report online or download it in pdf version.