By Jon-Michael C. Brook, Principal, Guide Holdings, LLC
Most small businesses adopt some sort of cloud offering, be it Software as a Service like Quickbooks or Salesforce, or even renting computers in Amazon Web Services or Microsoft’s Azure, in an Infrastructure as a Service environment. You get Fortune 50 IT support, including things that a small business could never afford, like building security and power fail-over with 99.999-percent reliability.
While cloud has great advantages, you must know your supply chain. Cloud providers use something called the shared responsibility model. Their risks and vulnerabilities become yours, so choosing a discount provider may open you up to compliance issues you never thought possible. That said, cloud does allow small business to focus on their competitively different things, leaving the technical aspects to others for essentially a pay-as-you-go utility computing.
In today’s increasingly complex security environment, following these three top security tips will go a long way to letting small business owners concentrate on running their business rather than keeping up with the latest security issues.
Something you know
Let’s talk about authentication, typically referred to as passwords. The first thing to establish is “something you know,” like a pin or password. The worst thing anyone can do in today’s day and age is use one username with one password. If any one of the sites used becomes compromised, the username/password combination will be sold on the Dark Web as a known combination. The lists are huge, but infinitely faster on other banking or e-commerce sites that implement effective security. This happened in the Yahoo! breach that nearly scuttled the Verizon acquisition a couple years ago, sending ripples throughout the web and forced resets by nearly every company in the world.
At the very least, use a unique password with between eight and (preferably) 16 characters. Characters are more than numbers and letters. The more of the keyboard utilized, the longer testing every combination in a brute force attack becomes.
Password managers such as LastPass or KeePass will make keeping these organized easier, and they synch across the various phone, laptop and desktop devices through cloud providers like Dropbox, Box and OneDrive. Many of these are now tying in to the “something you are” such as fingerprint or facial recognition.
Something you have
The next step up is a technique known as one-time passwords. They are much more than one-step effective and take the something you know to also include “something you have” in your mobile device. That’s why banks and financial trading firms incorporated the technology a few years ago.
As security gets better, so, too, do the hackers. SIM-card duplication and other attacks gave rise to something call soft tokens from Google Authenticator and Authy. The apps use a synchronized clock and the same hard mathematics in cryptography to make a system where the next number is easy to compute in the valid minute of use but the previous is impossibly difficult before the timer clicks over to the next one.
Currently, the most secure consumer password scenario comes from mathematics developed in the late 70’s called public key cryptography. This is the same technology in the soft token apps but in a purpose-built device, typically seen as a key fob or USB from manufacturers like Entrust, RSA or Yubi. This takes the one-time password to the next level by self-erasing on any attempt to get to the originally entered number.
To recap, secure passwords should be a combination of something you know, something you have and something you are, with an order of strength: Same Passwords -> Unique Passwords -> Txt Messages -> Soft Tokens (Authenticator/Authy) -> Hard Tokens (SecureID/RSA/Yubi)
Built-in, not bolted on
Lastly, follow your industry/vertical’s rules early.
The typical adage of “built-in, not bolted on” holds true for small business if you really want to make it in the long haul. It’s always easier to include security in the beginning than shoehorn it in afterwards. A small business may be fined for non-compliance to the point of bankruptcy by a few of the below regulations:
- US Securities and Exchange Commission’s Sarbanes Oxley (SOX);
- Payment Card Industry’s Data Security Standard (PCI-DSS);
- Health Insurance Portability and Accountability Act (HIPAA);
- Privacy controls by the US Federal Trade Commission’s Fair Credit Reporting Act (FCRA) and Children’s Online Privacy Protection Act (COPPA); and
- European Union’s General Data Protection Directive (GDPR).
Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in information security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. He is co-chair of CSA’s Top Threats Working Group and the Cloud Broker Working Group, and contributor to several additional working groups. Brook is a Certified Certificate of Cloud Security Knowledge+ (CCSK+) trainer and Cloud Controls Matrix (CCM) reviewer and trainer.