Privacy and Cyber Security

With the enormous amount of sensitive information stored digitally, companies need to take appropriate measures to ensure this data is not compromised. Ultimately, it is the responsibility of business owners to protect their clients’ data. Understanding the risks involved with data security can help you prevent a privacy breach.

Know the Risks

The first step in protecting your business is to recognize types of risk:

  • Hackers, attackers and intruders. These terms are applied to people who seek to exploit weaknesses in software and computer systems for their personal gain. Their intentions are usually malicious and their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to damaging activity (stealing or altering a client’s information).
  • Malicious code. This is the term used to describe code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system.
    • Viruses: This type of code requires that you actually do something before it infects your system, such as open an email attachment or go to a particular Web page.
    • Worms: This type of code propagates systems without user interventions. They typically start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers.
    • Trojan horses: Trojans hide in otherwise harmless programs on a computer, and much like the Greek story, release themselves to cause damage. A popular type of Trojan is a program that claims to speed up your computer system but actually sends confidential information to a remote intruder.

IT Risk Management Practices

To reduce your cyber risks, it is wise to develop an IT Risk Management Plan at your organization. Risk management solutions use industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, their importance to the organization and the data stored and processed.
  • Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored changes or other conditions occur that may affect the impact of risk to the organization.

Due Diligence When Selecting an ISP

Your organization should take precautionary measures when selecting an internet service provider (ISP) to use for company business. An ISP provides its customers with Internet access and other Web services. In addition, the company usually maintains Web servers, and most ISPs offer Web hosting capabilities. With this luxury, many companies perform backups of emails and files, and may implement firewalls to block some incoming traffic.

To select an ISP that will reduce your cyber risks, consider the following:

  • Security – Is the ISP concerned with security? Does it use encryption and SSL to protect any information that you submit?
  • Privacy – Does the ISP have a published privacy policy? Are you comfortable with who has access to your information, and how it is handled and used?
  • Services – Does your ISP offer the services that you want and do they meet your organization’s needs? Is there adequate support for the services provided?
  • Cost – Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price?
  • Reliability – Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and a high volume of users? If the ISP knows that their services will be unavailable, does it adequately communicate that information to its customers?
  • User supports – Are there any published methods for contacting customer service? Do you receive prompt and friendly service? Do their hours of availability accommodate your company’s needs?
  • Speed – How fast is your ISP’s connection, and is it sufficient for accessing your email or navigating the Web?
  • Recommendations – What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?

Protection is our Business

Contact your broker today to ensure you have the proper coverage to protect your company against a data breach.

© Zywave, Inc. All rights reserved

5 Steps to Website Security

Website security is more important than ever. Cyber criminals are constantly looking for improperly secured websites to attack; therefore, it is essential to secure servers and the network infrastructure that supports them. The consequences of a security breach may include loss of revenue, damage to credibility, legal liability and loss of customer trust.

Web servers, which host the data and other content available to your customers on the Internet, are often the most targeted and attacked components of a company’s network. By securing your Web server, you protect customers and prospects that use your company website. The following are examples of specific security threats to Web servers:

  • Cyber criminals may exploit software bugs in the Web server, underlying operating system or active content to gain unauthorized access to the Web server.
  • Denial-of-service attacks may be directed at the Web server or its supporting network infrastructure to prevent or hinder your website users from making use of its services. This can include preventing the user from accessing email, websites, online accounts or other services. The most common attack is flooding a network with information, so that it can’t process the user’s request.
  • Sensitive information on the Web server may be read or modified without authorization.
  • Information on the Web server may be changed for malicious purposes.
  • Cyber criminals may gain unauthorized access to resources elsewhere in the organization’s network with a successful attack on the Web server.
  • The server may be used as a distribution point for attack tools, pornography or illegally copied software.

Take the following five steps to protect your company from the threats listed above.

Step 1: Form a plan and utilize the right people.

Because it is much more difficult to address security once deployment and implementation have occurred, security should be considered from the initial planning stage. Businesses are more likely to make decisions about configuring computers appropriately and consistently when they develop and use a detailed, well-designed deployment plan. Developing such a plan will support Web server administrators in making the inevitable trade-off decisions between usability, performance and risk.

Make sure to define appropriate management security practices, such as identification of your company’s information system assets and the development, documentation and implementation of policies, as well as guidelines to help ensure the confidentiality, integrity and availability of information system resources.

Businesses also need to consider the human resources requirements for the deployment and continued operation of the Web server and supporting infrastructure. Consider the personnel you will need on your team—for example, system and Web server administrators, webmasters, network administrators and information systems security personnel. Additionally, consider the level of training (initial and ongoing) that will be required to maintain this team.

Step 2: Ensure that Web server operating systems and applications meet your organization’s security requirements.

When securing a Web server, you must first secure the underlying operating system. Most Web servers operate on a general-purpose operating system. Many security issues can be avoided if the operating systems underlying Web servers are configured appropriately. Default hardware and software configurations are typically set by manufacturers to emphasize features, functions and ease of use at the expense of security. Because manufacturers are not aware of each organization’s security needs, Web server administrators must configure new servers to reflect their business’ security requirements and reconfigure them as those requirements change. Make sure to take the following steps as appropriate to your business:

  • Patch and upgrade the operating system.
  • Change all default passwords.
  • Remove or disable unnecessary services and applications.
  • Configure operating system user authentication.
  • Configure resource controls.
  • Install and configure additional security controls.
  • Perform security testing of the operating system.

Step 3: Publish only appropriate information.

Company websites are often one of the first places cyber criminals search for valuable information. Still, many businesses lack a Web publishing process or policy that determines what type of information to publish openly, what information to publish with restricted access and what information should not be published to any publicly accessible repository. Some generally accepted examples of what should not be published, or what should at least be carefully examined and reviewed before being published on a public website, include the following:

  • Classified or proprietary business information
  • Sensitive information relating to your business’ security
  • A business’ detailed physical and information security safeguards
  • Details about a business’ network and information system infrastructure—for example, address ranges, naming conventions and access numbers
  • Information that specifies or implies physical security vulnerabilities
  • Detailed plans, maps, diagrams, aerial photographs and architectural drawings of business buildings, properties or installations
  • Any sensitive information about individuals that might be subject to privacy laws

Step 4: Prevent unauthorized access or modification on your site.

It is important to ensure that the information on your website cannot be modified without authorization. Users of such information rely on its integrity. Content on publicly accessible Web servers is inherently more vulnerable than information that is inaccessible from the Internet, and this vulnerability means businesses need to protect public Web content through the appropriate configuration of Web server resource controls. Examples of resource control practices include the following:

  • Install or enable only necessary services.
  • Install Web content on a dedicated hard drive or logical partition.
  • Limit uploads to directories that are not readable by the Web server.
  • Define a single directory for all external scripts or programs executed as part of Web content.
  • Disable the use of hard or symbolic links.
  • Define a complete Web content access matrix identifying which folders and files in the Web server document directory are restricted and which are accessible, and by whom.
  • Disable directory listings.
  • Deploy user authentication to identify approved users, digital signatures and other cryptographic mechanisms as appropriate.
  • Use intrusion detection systems, intrusion prevention systems and file integrity checkers to spot intrusions and verify Web content.
  • Protect each backend server (i.e., database server or directory server) from command injection attacks.

Step 5: Continuously protect and monitor Web security.

Maintaining a secure Web server requires constant effort, resources and vigilance. Securely administering a Web server on a daily basis is essential. Maintaining the security of a Web server will usually involve the following steps:

  • Configuring, protecting and analyzing log files
  • Backing up critical information frequently
  • Maintaining a protected authoritative copy of your organization’s Web content
  • Establishing and following procedures for recovering from compromise
  • Testing and applying patches in a timely manner
  • Testing security periodically

Taking proactive measures to secure your website by carefully setting up and maintaining your Web server can save your business from experiencing crushing losses of revenue, customer loyalty and proprietary information. For more information about how to mitigate your cyber risk, contact your broker today.

© Zywave, Inc. All rights reserved