Small businesses are increasingly becoming a target by hackers. In a recent USA Today story
"Hacking a big danger for small businesses," cyber attacks are not just reserved for big companies. Data breaches of notable brands such as Target and Home Depot have dominated the headlines over the past year, but small businesses are also targets and are more vulnerable than ever.
According to a 2013 survey by the National Small Business Association, 44% of small businesses have been attacked and of those cost on average $8,700 per affected company. Attackers realize that small businesses don't often have the resources, time and knowledge to ensure their systems are secure.
Many small businesses are also trusted as third parties for big companies, such as performing services that require access to facilities, systems and data. With that trust, comes the responsibility and need for good security tools, processes and knowledge to safeguard data. Brian Krebs described in his blog
how an HVAC vendor for Target fell victim to a targeted phishing campaign that successfully compromised the vendor's systems to install malware and also steal logins and passwords. The successful attack was then used to infiltrate Target's network via the stolen vendor credentials.
Many of these types of stories could have been prevented with more security knowledge, awareness and attention to detail. The human element is often the weakest link contributing to many data breaches. In this article, I have outlined 3 types of security tools and tips
that you may use in your business to stay one step ahead of attackers. These aren't necessarily sexy security software tools or gadgets, but rather great online resources to help improve data security in your business and reduce the odds of becoming another hacking statistic.
1 - Knowledge is Power (Free Web Resources)
If you are new to information security or interested in proactively improving security in your place of business, make the habit of staying up to date with the latest security events and trends by reading security blogs, news sites or research companies. You don't need a lot of money to learn something new every day in the field of information security. There is no shortage of security topics such as computer fraud, cybercrime, cybersecurity, forensics, network security, application security, cyber policies, and business continuity planning, just to name a few.
Listed below is a small sampling of good security resources or tools you can use to increase your security knowledge and awareness in order to help prevent future threats to your business.
Are you also looking for a brief overview or introduction to learn more about different security topics? Securezoo has also provided a sort of "knowledge base" tool, where you can read a brief summary of selected security topics
, along with guidance and best practices
you can put to immediate use. Each topic will also list related news events, standards and white papers.
2 - Security Standards
If you are looking for more in-depth information security guidance to use in upcoming security projects, tool implementations or to help meet regulatory compliance requirements, check out the following security standards resources:
- Payment Card Industry (PCI) Data Security Standard (DSS): The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures to protect payment card data.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule: HIPAA was etablished to ensure healthcare data protection standards and regulatory requirements for various healthcare providers and companies that handle healthcare data.
- Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook): Data protection requirements for financial institutions such as banks, brokerages, etc.
- ISO/IEC 27001:2013: A widely used security framework and guideline to implement a holistic Information Security Management System (consists of 14 security groups or "domains" used to organize security controls).
- DISA STIGs: Security Technical Implementation Guides (STIGs) developed by DISA for the DoD (includes hardening guidelines for various technology platforms to include Windows, Red Hat and Network devices to name just a few.
Securezoo has also created a security standards resource tool
to help make it easier to find standards and documents based on a security topic or security standards author.
3 - Security Advisories (Automate via Twitter and Email Alerts)
As we all know, hackers are getting better and faster at creating new exploit kits to automate the detection and exploitation of known vulnerabilities, as soon as they become known to the public.
Make a habit of checking security advisories for those technologies you use in your business (and patch immediately), for instance:
- Microsoft Security Bulletin (Technet): famous for "Patch Tuesday" and ongoing monthly or interim security patch announcements
- Red Hat Security Advisories: Security Alerts, Bug Fixes, and Enhancements for Active Red Hat Products
- Apple Security Updates: security updates for Apple products to include Max OS X, iOS and others.
- Google Security Releases: Security and product updates for Google Chrome
- Adobe Security Bulletins and Advisories: security advisories for Adobe products to include Flash, Reader and many others.
- WordPress Security Releases: archive of security releases for the popular open source blogging platform.
- United States Computer Emergency Readiness Team (US-CERT): "leads efforts to improve the nation's cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks to the Nation while protecting the constitutional rights of Americans."
Also, check vendor websites for supported operating systems and support lifecycle. For instance, see Microsoft's Product Lifecycle Search
website and also RedHat's Enterprise Linux Life Cycle
To help you stay on top of many of the numerous security advisories, Twitter is a valuable tool to get the latest advisories for information security updates.
In conclusion, we hope some of these resources can help you in your quest to improve your knowledge in security and also protect your systems and data. Have fun with all the reading and research, as time permits. Security doesn't always have to be so serious and dreary as the headlines often describe. It is fascinating to learn new technologies every day and the amazing human element of security as well.
Remember, be secure. It's a zoo out there!
(This article was originally published on Securezoo.com