Editor’s note: Wired for Safety is a column on cybersecurity and other tech issues. Duane Dunston is an assistant professor of cybersecurity and networking at Champlain College. He received his bachelor’s and master’s of science from Pfeiffer University. From 2001 to 2011 he worked in cybersecurity for NOAA. He is a doctoral student at Northeastern University with a concentration in Curriculum, Teaching, Learning, and Leadership. His other activities include “You Have A Voice,” a project to develop an electronic screening assessment to identify human trafficking victims.
[A] colleague recently inquired if I could start a cybersecurity program with no budget and I replied, yes. A cybersecurity program requires management being willing to implement policies, processes and procedures to minimize risk to the organization's information assets -- that doesn't cost any money. However, some processes and procedures will cost money to support the cybersecurity program (e.g. anti-virus, offsite backup storage -- external drives or cloud solutions, paying for background investigations). Many technical procedures can be performed manually, it is just more labor intensive unless someone in the organization learns to script (like Windows Powershell) to automate those procedures.
Starting a cybersecurity program with no budget or a limited budget is possible. Whether you are a home user, one person business, or large organization, these recommendations could help you get started with understanding your cybersecurity needs.
Upper management support is essential
The first requirement is upper management support. The culture of risk management starts at the top. If executives take it seriously, then others in the organization have to follow. Tight budgets or no budgets really need to be reconsidered (because the cost of a breach could be substantial). Employees could do manually what security products can help automate, however. With strong management support of limiting software downloads, checking to ensure anti-virus is updated, and the use of external devices like thumb drives is limited, it can reduce the amount of manual work when there is no budget for security products.
Management should lay out policies to support the security program. Here are some free templates that help expedite the development of the policies.
It is important that the policies be enforced and pushed out to the organization by upper management. Accordingly, each policy should have the name of the person responsible for enforcing and interpreting it.
Managing information is the key to beginning a security program
In order to start a security program it is essential to know what needs to be protected so that people and financial resources can be used appropriately and on the right technologies to support it.
For each person at the table:
• What type of information are they handling in the organization? Social Security numbers, credit card numbers, customer’s personal information, customer financial records, digital notes of conversations with customers or internal employees, medical information on patients, organizational bank account information, etc.
• Make a note of the type of information and have the stakeholders answer the question:
• What happens if this data becomes inaccessible (hard drive failure or ransomware)?
• Do we have backups of the data that exists off of the computer? If no, time to purchase an external hard drive or use a service like SpiderOak) $149/year on unlimited devices. You can also purchase a 1 terabyte external drive for $40 on up and use the native OS encryption such as Windows BitLocker of FileVault for MacOS. A recommendation is to have rotating backups so one copy stays offsite from your organization.
• If so, have the backups been tested to ensure it will restore as expected?
• If no, perform a test and restore files to a temporary directory and check to ensure it contains the expected information.
• If there are Social Security numbers, or other sensitive data, like credit card numbers, does that information need to be stored on the computers?
• If so, encryption tools or the applications native encryption should be used when the files are not in use (such as password protecting Microsoft documents).
Use native hard drive encryption for the operating system. Windows Bitlocker and MacOS fileVault are native and can be enabled. This will protect data when the computer is turned off. Microsoft’s native encryption, for example, will protect the file when it is not in use or it is not opened and when the computer is turned on.
• If not, delete the files or the field that contains the sensitive data.
• Determine if SSNs or credit card numbers need to be stored locally.
• If you are using web-based services that contain sensitive information, see if it can stay there without having to save it to your local computer.
If the software application is used on your local computers, then you may have to contact the organization that created the software to determine how to remove the sensitive data, automatically delete the data, or if the data can be encrypted when it is not in use.
If you are dealing with credit cards, you should be aware of the Payment Card Industry compliance.
It is my experience that people sitting around the table and making a concerted effort to discuss information in their organization can lead to robust discussions because there is almost always a duplication of effort that comes out of the conversation. Sometimes someone learns another office is handling data they should not be handling. Even more interesting is when it is learned that no one knows who has the master dataset. That is, business data is being stored in different locations and being modified or processed to create a product and those involved don’t know whose dataset is the most accurate. These types of issues occur because organizations evolve and miscommunication or no communication may be occur. Sometimes people get tired of waiting for data or don’t like the program everyone else uses so they create their own method of managing the data. Unfortunately, that can lead to the mishandling of data. Resolving these types of issues resolves the much needed management support to consolidate data so it can be better managed.
These discussions lead to the question of where is the data stored throughout the organization. It will require physically walking around and documenting all digital assets that have some type of network connectivity (printers, scanners, fax machines, phones, laptops, mobile phones, etc.). Then the computers need to be searched to determine what documents exist on each one. It will require review to determine if documents are stored on computers where they should not be. It doesn't mean there is a breach if documents are on someone’s computer who doesn’t use them. They may be using someone’s computer that was previously employed or swapped computers. The purpose is to locate all documents that were identified as containing sensitive information and restricting access to only those computers and users that need access to it. This is not an easy process. Remember how two people may have the same document, but contain slightly different information so it has to be reconciled which document is the most up-to-date. One person, for that matter, may have two copies of a document with different data.
Many operating systems have file and folder tagging so you can group similar file types or files containing similar information. TagSpace and ConnectPaste are tools that can help with the management of tags and grouping similar files.
If you are in a Windows environment and using Windows Active Directory, then Microsoft’s Dynamic access controls is native and provides robust data classification, file protection, auditing, and retention policies. It is highly recommended to look into this solution.
Organizations need to know what type of information they are handling and being prepared when there is an impact to information dissemination, access, and management.
I discussed previously the first step in the process where you sit at the table with the key people in your organization and start with:
• “What happens if we lose internet access?”
• This question helps an organization to understand their mission for themselves and their customers.
• The situations to think of are a cyberattack, ice causing phones lines to go down, or some other unforeseen impact to the physical location of your organization.
• Have the number for technical assistance for your Internet Service Provider (ISP) easily accessible for the primary point of contact in your organization who will call them.
• Inquire with them on how soon service will be restored. It will help with the next questions:
• “How long can we be offline before there is an impact to our mission, customers, and our finances?”
• “How do we get back online temporarily until we are at full operating capacity?”
• Is it possible for employees to work from home?
• Can a temporary wifi hotspot be setup with limited capabilities to sustain essential business functions? (Some cell phones can support this using the 3G or 4G connection)
• Will employees be able to keep the information safe if they use their personal computers (do they have up-to-date antivirus and patching their computer, is there a dedicated account they can create on their home computer for only work related tasks?)
• Are there alternative methods for customers to communicate with your organization such as using cell phones or a commodity phone line?
• Some phone providers can have a phone number forwarded to an external phone so maybe someone can have calls go to their cell phone until services are back online (this is assuming there is an impact to the physical location) or can someone access voicemail remotely and relay messages to the appropriate personnel.
After identifying the various information, ask:
• “What software is being used for day-to-day work to interact with and manage business essential files?
• Is the software properly licensed?
• Is it being supported and updated?
• What is the email, phone, or website support for each software application?
Again, document the responses to the questions.
If the software is not being supported, begin making a plan to restrict access to the software until a replacement can be found. Restricting access means minimize exposure to the Internet and those internally that don’t need access to it. However a plan should be developed to determine the cost and time necessary to replace the product.
What third-party applications are being used for day-to-day business functions? Third-party applications are Chrome, Adobe Reader, PDFCreator, Java, etc. Those are software programs that require support and updates outside of the standard Windows updates.
If you use any of the software listed on the Ninite website, investing in the Pro version can help you manage the third-party program updates from one computer. If you have around 250 computers, Ninite will cost around $1,600/year.
Management support is really essential here when it comes to consolidating software because it can have a business impact when people have to learn a new software program which changes their workflow.
Limit software installed or downloaded to computers as much as possible. Websites such as Portableapps.com make it difficult because those do not need to be installed. However, learning about permissions on user directories (removing execution permissions for non-administrative users) or application whitelisting can help tremendously.
Based on the recommendations so far, you start a security program by understanding what data information and assets you have to protect and get that under control. It requires sitting and talking with others in the organization (or yourself if you are the only employee). You can use existing security features native to your operating system and recommendations discussed so far are less than $2k for those with a tight budget. These are the beginnings of a security program and I’ll discuss more steps to take to start and sustain it in the next articles.
Want to stay on top of the latest business news? Sign up here to get a weekly email on all of VTDigger's reporting on local companies and economic trends. And check out our new Business section here.