Small Business, Big Target: Cybersecurity Threats & Regulations in Massachusetts

05.22.2019

To do business in the 21st century is to confront cybersecurity threats. Just because you run a small or medium business doesn’t mean you fly under the radar. In fact, criminals often target small and medium businesses (SMBs) for exactly that reason – companies often don’t recognize the threat and think that because they have a firewall and antivirus, they’re protected. Well… they’re not. Ransomware is rampant. Cryptocurrency mining malware is everywhere. And people are constantly clicking those $2 burrito coupon phishing emails, letting the bad guys right through your firewall. But hey, it’s not all doom and gloom. Between a few simple best practices and following Massachusetts regulations, SMBs can significantly up their cybersecurity game to avoid risk of downtime, data loss, and reputation damage. Here’s how to make a huge impact on your security posture:

Cybersecurity Game Changers

Invest in multi-factor authentication.

Why? It’s the number one way to reduce or eliminate online account takeover for programs like Office 365 and Google G-Suite. And the cost is about a cup of coffee per user per month. This is a no-brainer.

Inspect all traffic, not just 20% of it.

Over 80% of the web is encrypted (HTTPS) these days according to Google’s latest Transparency Report. Most SMBs have firewalls that are currently inspecting only HTTP (unencrypted) web traffic, so over 80% of all inbound and outbound web traffic makes it right through companies’ front doors! That’s like TSA letting eight out of ten people skip security measures at the airport. Crazy, right? The simple fix is to enable “SSL Decryption” on the firewall to ensure 100% of data packets entering the network are inspected for malware.

Train employees.

Simple. Obvious. Incredibly effective. According to the National Institute of Standards and Technology, “we [people] are the largest vulnerability in any organization.” Training users how to spot red flags in phishing emails is crucial to any organization’s security posture. To err is human. To avoid bogus $2 burrito ads is divine.

Best practices are critical, but let’s not forget that any business (big or small) that owns or licenses personal information about a resident of the Commonwealth of Massachusetts is required to follow law 201 CMR 17.00, which goes by the catchy title, “Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts.” Not exactly a thrill-ride, but super important nonetheless.

What it breaks down to is that all businesses – whether for-profit, not-for-profit, or government –with the private data of one or more Massachusetts resident must take the following actions in addition tothe game changers listed above, regardless of company size:

Regulatory Requirements

Identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information.

Translation: Perform regular risk assessments (annually at the very least).

Have a Written Information Security Program (WISP) that covers all aspects of the organization’s security program and posture, including but not limited to: security awareness training requirements, data security practices, encryption policies, acceptable use of corporate data and resources, and incident response procedures.

Institute regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information.

Translation: Perform continuous monitoring of inbound/outbound network flows and system logs for anomalies and/or annual penetration testing.

Secure user authentication protocols and access control measures.

Translation: Implement least privilege that gives users only the permissions they need to get their jobs done and no more. This also includes locking out accounts after a certain number of unsuccessful login attempts.

Pro-mode: Multi-factor authentication is another provision that helps companies meet this standard.

Encrypt all private data in transit (web and email) and at rest (on a computer or server).

Implement patch management. Not just Windows operating system, but of all third-party applications like Google Chrome, Adobe Reader, and on all network devices including switches, firewalls, and routers.

It’s possible to protect your business from the majority of cybersecurity threats out there. We know, we do it all the time. It’s about paying attention to the ways you can avoid becoming an easy mark and making sure you’re following Massachusetts regulatory requirements. A little investment in these best practices and keeping up to code (so-to-speak) goes a long way.