This is a guest article written by Katherine Luk. The author’s views are entirely her own and may not reflect the views of IT Governance.
Small businesses are increasingly finding themselves the target of cyber attacks. In 2015, SMBs with fewer than 250 employees became the most-targeted segment of business by hackers, and often these businesses are most at risk because of their limited cybersecurity capabilities. However, small businesses are by no means the only targets: over eight in ten businesses became victims of phishing attacks in 2015. Many have found it hard to protect against socially-engineered breaches, including healthcare providers, finance companies, and, most notably, Hillary Clinton’s presidential campaign. Luckily, whatever the size of your business, there are some simple steps you can take to implement physical security measures to protect your information.
Work isn’t just for the office anymore; more people are now working from home, local coffee shops, and co-working spaces than ever before. While the positives of these work environments mean they are quickly catching on, even with multinationals, the public nature of these locations creates additional security risks. Remember when Google Chrome’s incognito mode first came out? While Google suggested it would be handy for planning surprises, it also warned users that going incognito did not protect their browsing activity from people standing behind them. The same is true for any sensitive information you’re working on in a public place. Laptop privacy filters have become readily available to combat this issue, and some business-focused laptops now offer built-in privacy filters.
- Local access
Another potential threat is physical access to machines with sensitive information. This could be possible anywhere that is publicly accessible, including office space open to guests. Even an open USB port can allow intruders to interface with your company’s systems and access secure information.
This type of physical hacking is still prevalent and can have devastating consequences. The most notable use of this technique occurred in 2012 when the Stuxnet virus penetrated Iranian nuclear facilities. Although the computer systems at the facility were air-gapped, meaning that they were physically inaccessible from outside networks, an employee used a compromised USB drive to interface with the system, infecting the other computers and USB drives connected to the network with the virus.
In a Cisco white paper from 2011, Edward Erickson is quoted on the issue of physical access:
“In an open, trusting and tech savvy environment, the best access control system may be predicated upon a link to system access. If you fail to badge into the building, you don’t get access to the systems. The collateral benefits abound: building managements systems, incident awareness, and who is in the affected building.”
While this type of access point protection is great for security, not all companies can integrate this type of system into their existing locations, especially small businesses. Another way to prevent unauthorized physical access takes only two seconds to apply and costs less than two dollars: a USB port blocker. They can be easily dispersed throughout the office to all publicly-accessible computers. However, you’ll still need to educate employees on why physical access to your systems is so dangerous, as most USB blockers are removable.
- Theft prevention
It seems almost funny at first: You’ve taken your laptop to do some work at Starbucks, and you step away for a quick bathroom break. When you get back, your laptop is nowhere to be found. Laptop theft is still common, affecting everyone from independent game developers to patients of major hospitals. In the latter case, the hospital ended up paying a fine of $90,000 to the state of Connecticut after a laptop was stolen from an employee’s home. Laptop locks are easy to find and very inexpensive compared with the cost of having a laptop stolen. Be aware of other theft opportunities, like leaving visible laptops in unattended cars or bags, and educate employees on best practices to minimize risk of theft.
- Multi-factor authentication
Multi-factor authentication (MFA) is one of the best steps you can take to secure sensitive information and account access permissions in terms of the cost-benefit ratio. Supported by many major tech companies, including both Google and Amazon, this increased security measure is quickly gaining in popularity. It uses multiple different factors to confirm identity, which can range from account or device access to biometric identifiers.
A Cisco white paper describes MFA as requiring both something you have, such as a cell phone or ID badge, as well as something you know, like an account password or PIN. For instance, Google’s typical two-factor authentication (2FA) setup for a Gmail account requires both your Gmail password and an access code sent to an approved cell phone. So even if your account password is compromised, attackers won’t be able to access any information without having your device in hand as well.
This have/know dynamic can easily incorporate biometric identifiers. Many business class laptops now have built-in fingerprint scanners, and others are using webcams to run facial recognition algorithms on users to verify their identities. While the feature requires specific camera technology to operate (depth cameras), the push for more robust security offerings in the business space will only improve options for privacy-conscious consumers.
There are a multitude of ways you can protect sensitive information from attackers; these are just a few simple options. In the rapidly changing world of cybersecurity, having the latest information can give you the upper hand, so it’s important to stay current. You should check the security information and advice provided by governmental agencies, such as the Small Business Administration’s top ten cybersecurity tips or the guidance from US-CERT on avoiding social engineering attacks, which is regularly updated. Security companies such as CISCO or Symantec also provide useful data and analysis, as in Symantec’s Internet Security Threat Report. Above all, make sure your employees recognize the importance of maintaining security; every employee with access to sensitive information needs to help protect it.
Educating your employees to protect against security threats can be accomplished in a cost-effective manner. IT Governance e-learning courses train staff to become aware of security issues, how to spot them, and how to prevent attacks.