May eNewsletter

Welcome to our May business eNewsletter focusing on cybersecurity tips for your business.

Quote of the month:
“Cybersecurity is a shared responsibility, and it boils down to this: in cybersecurity, the more systems we secure, the more secure we all are.” – Jeh Johnson

In this Issue…

SpiritBank June Lunch and Learn

Join us for some Burn Co. Barbecue and get answers to your most burning cybersecurity questions.

  • What are some low cost approaches to protecting my business?
  • What is social engineering and how do I prevent such attacks?
  • How do I safely manage passwords for many accounts?
  • What are some security regulations that may impact my industry?
  • How do I help my employees develop a strong security awareness?
  • What resources exist to help my business manage cybersecurity risks?

June 6, 2019
11:30 AM – 1:00 PM
SpiritBank Community Room (1st Floor)
1800 S. Baltimore Avenue.
Tulsa, OK 74119

Hear a panel of experts in the industry who will take your questions to help your business thrive.

Jonathan Kimmitt, Chief Information Security Officer, University of Tulsa
Mike Spencer, Director of IT, SpiritBank
Nathan Sweaney, Senior Security Consultant, Secure Ideas

RSVP: Tandy Donald, tdonald@spiritbank.com; 918-295-7438

Top Ten Cybersecurity Tips

Please read this advisory in order to protect your small business from ransom ware. The following tips will also help secure your small business:

1. Protect against viruses, spyware, and other malicious code
Make sure each of your business’s computers are equipped with antivirus software and antispyware and update regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.

2. Secure your networks
Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.

3. Establish security practices and policies to protect sensitive information
Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies.

4. Educate employees about cyber threats and hold them accountable
Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Hold employees accountable to the business’s Internet security policies and procedures.

5. Require employees to use strong passwords and to change them often
Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.

6. Employ best practices on payment cards
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.

Are you ready for the shift from magnetic-strip payment cards to safer, more secure chip card technology, also known as “EMV”? October 1st is the deadline set by major U.S. credit card issuers to be in compliance. Visit SBA.gov/EMV for more information and resources.

7. Make backup copies of important business data and information
Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.

8. Control physical access to computers and network components
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

9. Create a mobile device action plan
Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.

10. Protect all pages on your public-facing websites, not just the checkout and sign-up pages

Read this article at the sba.gov

Resources for Small and Midsize Businesses (SMB)

Cybersecurity Resources Road Map (A Guide for Critical Infrastructure SMBs)

The Cybersecurity Resources Road Map is a guide for identifying useful cybersecurity best practices and resources based on needs.

SMB Toolkit
1. Getting Started: Top Resources for SMB
2. Cybersecurity for Startups
3. SMB Leadership Agenda
4. Hands-On Resource Guide

Stop.Think.Connect. Toolkit

The Stop.Think.Connect. TM campaign includes cybersecurity tips for SMBs.

Read this article us-cert.gov

Ouch! Newsletter: Making Passwords Simple

You are often told your passwords are key to protecting your accounts (which is true!), but rarely are you given a simple way to securely create and manage all your passwords. Below we cover three simple steps to simplify your passwords, lock down your accounts, and protect your future.

The days of crazy, complex passwords are over. Those passwords are hard to remember, difficult to type, and with today’s super-fast computers can be easy for a cyber attacker to crack. The key to passwords is to make them long; the more characters you have the better. These are called passphrases: a type of strong password that uses a short sentence or random words. Here are two examples:

  • Time for strong coffee!
  • lost-snail-crawl-beach

Both of these are strong, with over twenty characters, easy to remember, and simple to type but difficult to crack. You will run into websites or situations requiring you to add symbols, numbers, or uppercase letters to your password, which is fine. Remember though, it’s length that is most important.

Password Managers

You need a unique password for every account. If you reuse the same password for multiple accounts, you are putting yourself in great danger. All a cyber attacker needs to do is hack a website you use, steal all the passwords including yours, then use your password to log in to all your other accounts as you. It happens far more often than you realize. Don’t believe it? Check out the website www.haveibeenpwned.com to see what sites you use that have been hacked and your passwords potentially compromised. So what should you do? Use a password manager.

These are special computer programs that securely store all your passwords in an encrypted vault. You only need to remember one password: the one for your password manager. The password manager then automatically retrieves your passwords whenever you need them and logs you in to websites for you. They also have other features such as storing your answers to secret questions, warning you when you reuse passwords, a password generator that ensures you use strong passwords, and many other features. Most password managers also securely sync across almost any computer or device, so regardless of what system you are using you have easy, secure access to all your passwords.

Finally, be sure to write down the password to your password manager and store that in a secure location at home. Some password managers even let you print out a password manager recovery kit. That way, if you forget the password to your password manager you have a backup. Or, if you get sick or find yourself in an emergency, your spouse or trusted family member can retrieve the information on your behalf.

Two-Step Verification

Two-step verification (often called two-factor authentication or multi-factor authentication) adds an additional layer of security. It requires you to have two things when you log in to your accounts: your password and a numerical code which is generated by your smartphone or sent to your phone. This process ensures that even if a cyber attacker gets your password, they still can’t get into your accounts. Two-step verification is simple to set up and you usually only need to use it once when you log in from a new computer or device. Enable this whenever possible, especially for your most important accounts such as your bank or retirement accounts, or access to your email. If you are using a password manager, we highly recommend you protect it with a strong passphrase AND two-step verification.

It may sound silly, but these three simple steps go a long way in protecting your job, your reputation, and your financial future.

Subscribe to OUCH! and receive the latest security tips in your email every month.


Have I Been Pwned: https://haveibeenpwned.com/
Two-factor Authentication Site: https://twofactorauth.org/
Long Live the Passphrase: http://www.sans.org/u/OKJ
Time for Password Expiration to Die: http://www.sans.org/u/OKO
NIST SP800-63B Digital Identity Guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html

OUCH! is published by SANS Security Awareness and is distributed under the Creative Commons BY-NC-ND 4.0 license. You are free to share or distribute this newsletter as long as you do not sell or modify it. Editorial Board: Walt Scrivens, Phil Hoffman, Alan Waggoner, Cheryl Conley

Read this article at the sans.org

The NIST Cybersecurity Framework

You may have heard about the NIST Cybersecurity Framework, but what exactly is it?

And does it apply to you?

NIST is the National Institute of Standards and Technology at the U.S. Department of Commerce. The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data. The Framework is voluntary. It gives your business an outline of best practices to help you decide where to focus your time and money for cybersecurity protection.

You can put the NIST Cybersecurity Framework to work in your business in these five areas: Identify, Protect, Detect, Respond, and Recover.

1. Identify

Make a list of all equipment, software, and data you use, including laptops, smartphones, tablets, and point-of-sale devices.

Create and share a company cybersecurity policy that covers:

  • Roles and responsibilities for employees, vendors, and anyone else with access to sensitive data.
  • Steps to take to protect against an attack and limit the damage if one occurs.

2. Protect

  • Control who logs on to your network and uses your computers and other devices.
  • Use security software to protect data.
  • Encrypt sensitive data, at rest and in transit.
  • Conduct regular backups of data.
  • Update security software regularly, automating those updates if possible.
  • Have formal policies for safely disposing of electronic files and old devices.
  • Train everyone who uses your computers, devices, and network about cybersecurity. You can help employees understand their personal risk in addition to their crucial role in the workplace.

3. Detect

  • Monitor your computers for unauthorized personnel access, devices (like USB drives), and software.
  • Investigate any unusual activities on your network or by your staff.
  • Check your network for unauthorized users or connections.

4. Respond
Have a plan for:

  • Notifying customers, employees, and others whose data may be at risk.
  • Keeping business operations up and running.
  • Reporting the attack to law enforcement and other authorities.
  • Investigating and containing an attack.
  • Updating your cybersecurity policy and plan with lessons learned.
  • Preparing for inadvertent events (like weather emergencies) that may put data at risk.

Test your plan regularly

5. Recover

After an attack:

  • Repair and restore the equipment and parts of your network that were affected.
  • Keep employees and customers informed of your response and recovery activities.

For more information on the NIST Cybersecurity Framework and resources for small businesses, go to NIST.gov/CyberFramework and NIST.gov/Programs-Projects/Small-Business-Corner-SBC

Read this article at the FTC.gov

The views and opinions presented in this newsletter do not necessarily represent those of SpiritBank.
Property of SpiritBank. 2019.