The Birmingham Business Journal recently featured Past Technology Group President, Jason Asbury, in a Table of Experts series discussing Cyber Security. Jason has more than 15 years of experience working in the IT industry. He has worked in an advanced technical capacity as a systems engineer, and has had a primary focus in IT consulting. He has been heavily involved in implementations and management of multiple patient care systems and associated medical management applications including EMR, Practice Management, PACS, Lab Information Systems, IMH, Telemetry, Clearing Houses and Oncology Radiation Systems. He maintains a unique skillset including experience providing consulting services and managing projects for clients in the fields of banking, insurance, education and law. Jason worked in an advanced technical capacity as a systems engineer for Science Applications International Corporation and served as an operations executive in the managed services and project implementations consulting arena for six years. As President of Warren Averett Technology Group he is responsible for the day-to-day management of the company and its overall direction with regard to strategic growth and planning. Jason’s portion of the discussion is featured below. Q: There have been several high profile data breaches in recent years that have affected large companies? How big is the threat for small businesses? Jason Asbury: The threat for small businesses is just as great as the threat that has been so heavily publicized for large companies. Companies of all sizes and industries are being affected daily. News of these breaches are not making headlines due to the smaller impact to the masses. However, these incidents are seriously affecting principals, owners and employees of small businesses. We receive calls from breach victims almost weekly. Examples of incidents include credit card breaches, successful email phishing attempts, and key loggers. Q: What can my business do to reduce the likelihood of a cyber-attack? Asbury: The notion of reducing the likelihood of an attack is somewhat futile. Any organization with access to the Internet is subject to attack. The key is to be prepared when the attacks occur. Proper planning, controls, monitoring, alerting and overall management of IT security is absolutely necessary in order to turn attacks into failed attempts. Q: What are the key ingredients for a cyber-security strategy? Asbury: Managing a cyber-security strategy begins with a risk analysis. In order to create and implement the proper strategy, risk must be clearly understood. Not all companies share the same risk. Secondly, all effective systems and strategies are governed by good policies. A thorough IT security policy is essential in managing risk. Security policies should not only create a framework for day-today management of risk, though. They should also identify and designate key roles within an organization. For instance, every business should have a security officer or manager as well as a risk officer or manager, and all organizations must plan for the worst. This means that an incident response plan is necessary and someone must be designated to manage the recovery steps taken after a breach has occurred. In my experience, most companies fail to implement a strong cyber-security plan because they don’t start with an analysis of risk paired with a solid IT security policy. Q: What are some things businesses often overlook when developing a plan to protect their sensitive data? Asbury: Several matters are often overlooked. Many organizations fail to recognize that most incidents occur from within and not from outside the network. The small things are very important and, in our experience, they are often the culprit when dealing with breaches. Things like proper patch management, centrally managed anti-virus solutions, and consistent system refresh cycles are often considered more relevant to system administration duties rather than risk management. We do a lot of work relative to PCI security and breach remediation for restaurants. Just a few weeks ago, a client replaced some legacy point-of-sale terminals with new Windows 7 based stations. Management felt as though an adequate safeguard was being implemented by installing newer terminals. However, upon inspection, we found that these devices came preconfigured with disabled Windows update settings. After running a vulnerability scan on new systems, we discovered 152 critical vulnerabilities on new equipment. This is a great example of a plan that was executed with the best of intentions. However, at the end of implementation, important factors had been overlooked. Q: What type of third-party services and products can be used to help prevent a breach and keep sensitive information secure? Asbury: There are a number of services that can assist in managing risk. We recommend that organizations consider third-party monitoring, logging and alerting services for critical systems and network entry points. The assurance of proper oversight relative to security is essential to preventing an incident. Another good outsourced service to consider is quarterly vulnerability scanning and annual penetration testing in order to regularly assess and remediate risk. Q: What are some best practices to help monitor for and identify breaches? Asbury: This closely aligns with the previous question regarding third-party solutions. Critical device monitoring and alerting is a great first line of defense and notification. Additionally, organizations should consider Intrusion Detection and Protection solutions that both alert in the event of attempted access and also automatically enforce mechanisms to thwart the attack. Next Generation firewalls should also be configured to monitor Internet traffic and alert when suspicious activity takes place. Additionally, centrally managed anti-virus solutions should be configured to alert appropriate personnel when viruses are discovered. Q: What are the key components to be included in a breach/incident response plan? Asbury: The goal of an incident response plan (IRP) is to handle a situation in the best way possible to reduce recovery time and costs. Proper planning is essential to this process. A core tenant of an IRP is to have clearly defined roles in the process. There must be an incident response manager who acts as a leader during the process. It is also essential to rehearse and walk through mock incidents to ensure that all possible aspects are considered. Table top exercises provide a good mechanism of running through potential incidents and bringing areas of weakness to light. It is also crucial to include individuals from departments outside of IT to assume roles on the incident response team. All critical aspects of the business should be represented in the response plan. Q: How can I assess my company’s risk for a cyber-attack? Asbury: The most effective process is to have a qualified IT security firm perform a thorough IT risk assessment. If your organization has identified a risk-management officer, that individual should be qualified to oversee this process. Relying on an IT manager to assess risk for a system he or she is responsible to maintain may not yield an unbiased report. Risk assessments should include a review of IT policies, network architecture, roles and security procedures, and physical and logical access controls. They should also take into account matters that are unique to the business such as regulatory requirements and industry compliance. An assessment of risk for a physician practice with a single location is very different than one for a restaurant franchisee with five locations. Q: What are some good components of an emergency plan as it pertains to cyber security and protecting/backing up data? Asbury: Defined variables of the IT security policy and the business continuity policy should also be included in the emergency plan or IRP for an organization. In order to determine the cause and impact of an incident, the security logs and monitoring alerts must first be analyzed and understood. And in order to determine the requirements of business continuity, an impact analysis must be performed. Critical factors such as recovery points and times have to be included in this process. The real key to managing Information Systems starts with good policies and procedures, and they must account for worst-case scenarios to include the need to invoke an emergency response plan when necessary. Q: What options are available train employees about the importance of cyber security? Asbury: Training is an essential component necessary to manage IT security. When considering IT security and policies, three safeguards must be a factor. Those are physical, technical and administrative. The basic logic is that systems and policies must be developed to address physical requirements, technical demands and administrative aspects. The administrative safeguard is intended to ensure that organizations not only create secure systems and networks to transact business, but that they also communicate the policies and requirements necessary to manage risk. Training has to become a business-as-usual part of everyday operations. We recommend formal, documented training on a semi-annual basis, and we suggest that policies be posted in common locations to make them easily accessible to employees. Additionally, the use of Intranet sites and internal email announcements are great tools that can assist in notifying and reminding employees of security matters on a consistent basis. Q: Should a company be concerned with its vendors relative to cyber security? Asbury: Absolutely. A security plan is only as strong as its weakest component. As a business owner or risk manager, you must address security safeguards and loss prevention relative to vendors and business partners. The highly publicized Home Depot breach of 2014 was the result of weak controls around vendor access. We suggest the development of business associate agreements that clearly define requirements around access control and minimal acceptable levels of security from within the vendors’ IT systems.