Categories
Business Cyber Security Cyber Security Month Risk Security

Basics of a Structured Cybersecurity Program

For more information, see the National Institutes for Standards and Technology publication 7621 

Creating a Cybersecurity program for a small business is straight forward. There are five functions that every security program must address.

The first step in any good cybersecurity program is to identify and assess the assets that impose a risk to the organization. Such as computer systems, people, data, facilities, etc.)

In the process of identifying these assets, understanding the importance these assets have to the objectives of the organization is critical. This information will be used to define the organization’s risk strategy.

Once the assets have been identified and classified by their importance to the organization’s objective, the development and implementation of safeguards are needed to ensure critical services are delivered. Protecting

After protecting the critical systems, data, and assets, the next step is to develop and implement the appropriate policies, procedures, and systems to detect events that could impact the critical systems and processes.

Once risk events are detected, how are those events responded to? Creating and following the proper policies and procedures to handle events is needed and communicated to all parties.

When a risk event is detected and it has been appropriately responded to, the recovery process is then started. The function of recovery is to make sure the critical system is functioning normally and improvements to the environment are evaluated.

This process is a very rudimentary process when creating a cybersecurity program. There are many steps and processes between each step and function. The NIST publications are very good at describing in more detail the different steps.

I recommend reviewing and familiarizing yourself with these documents before implementing a structured cybersecurity program. These frameworks are great guidelines.

Categories
Business Cyber Security Cyber Security Month Parents Security

How Email Works

It is not secure

Email has become one of the most prevalent ways we communicate electronically. Hundreds of billion of emails sent every day. And every one of them should not secure. Someone other than the intended recipient could read that email. This is why important information is never sent via email.

Why?

It is because email was never designed with security in mind. Many of the email providers out there, like Google’s Gmail and Microsoft’s Outlook, implement security measures to protect your email but it is not fool proof.

The issues comes down to that fact emails are not encrypted by default. Extra technologies have to be implemented to ensure emails secure.

Email is similar to our postoffice system.

  1. A letter is dropped off at the post office.
  2. That post office then sorts the letter by region. If the letter can handled by that postoffice, the letter will stay there and delivered the next day. If not at that post office, then it is moved to a regional sorting site.
  3. There, the letter is sorted by region again.
  4. If letter’s destination is within that regional sorting area it will then be moved to the closest post office to be sorted by neighborhood and then delivered.
  5. If not it will be set to the regional sorting location that handles the destination address.
  6. The letter is is received at the regional sorting site. Sorted by local postoffice and then delivered.

Our email system works in a very similar way with a few big differences.

The first one, and it is a big one, is an email does not contain a envelope. An email is more like a post card than a letter. Anyone that touches that postcard can read the contents.

The second one is that there is not one governing body that handles the delivery process. when an email is sent, you have no control who will touch that email before it lands in your email box. It would be like our postal system randomly handing over your letter to just anyone that said they could get it to you.

Scenario:
Let’s say you need to send some tax information to your CPA. You login to your gmail account and you send the email to, lets say, YourCPA@TheBestCPA.com.

When you hit send, Gmail packages that email, up and looks at the domain name of where you are sending it (TheBestCPA.com) and find the IP address (83.183.115.106) of the email server.

Gmail then sends that email to that IP address and the server then holds that email until it is picked up by the recipient.

Here are the Issues:
Fist, like i said earlier, an email is more like a post card than a letter. It is in plain text with no encryption by default.

Issue 1: If the connection, in this case between gmail and TheBestCPA.com, is not secure, any body that is looking at the connection between those two companies could read that email. The internet service provider, the government, or any bad guy.

Issue 2: Since we do not know where the TheBestCPA.com is located nor do we know who administers the email server. We do not know how protected that email server actually is. We do not know if the email stored on the server are encrypted or not. If the email server gets hacked all the emails could be readable.

Solution:
The solution is not to stop using email. Email is a reliable mechanism for sending information. It is not reliable for sending secure information. The only way to send secure information is to use encryption and not all email systems support encrypted emails.

If anyone, doctors, CPA, Banks, anyone, request that you send personal information like Social Security Numbers, or bank account numbers, or things like drivers license photos, or passport photos. Request a secure location where you can upload them. Do not send via email.

Categories
Business Cyber Security Cyber Security Month

Where to find more information for Small Businesses

To wrap up small business week. I am going to provide resources to further your education on cyber security. There is so much information that one can get lost in the ocean. There are a few really good places to go. These sites I have found useful in my journey to write these posts.

The first place all security conscious business owner needs to start is with the Small Business Administration (SBA). The SBA is there for us and they provide a wealth of information for all kinds of business issues. Their Cybersecurity site is easy to follow and easy to read. Not over whelming with good information.

https://www.sba.gov/business-guide/manage-your-business/stay-safe-cybersecurity-threats

The next is the Department of Homeland Security (DHS). DHS is really trying to protect the homeland. Hey have a ton of information for all kinds of threats. One of my favorite links is to their Cybersecurity roadmap. There are 4 tiers you can build on to enhance your security.

https://us-cert.cisa.gov/sites/default/files/c3vp/smb/DHS-SMB-Road-Map.pdf

And the last link for the Cybersecurity and Infrastructure Security Agency (CISA). CISA is a go to site for a lot of my research. They have alerts, tips and other resources for the security minded business owner.

https://us-cert.cisa.gov/ncas/tips

As I close out this week, I hope you, your love ones, and business stays safe. Enjoy the weekend.