Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

Cybersecurity in the Golden State How California Businesses Can Protect Against

Cybersecurity in the Golden State How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents February 2014 Kamala D. Harris, Attorney General California Department of Justice California Chamber of Commerce Lookout A B C Cybersecurity in the Golden State How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents February 2014 Kamala D. Harris, Attorney General California Department of JusticeCalifornia Department of Justice LogoLookout LogoCalChamber Logo D This document may be copied, provided that (1) the meaning of the copied text is not changed or misrepresented, (2) credit is given to the California Department of Justice, and (3) all copies are distributed free of charge. Privacy Enforcement and Protection Unit California Department of Justice www.oag.ca.gov/privacy E Table of Contents Message from the Attorney General . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. i Executive Summary .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .iii Introduction .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .1 Cybersecurity Threats Facing Businesses Today. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .5 Practical Steps to Minimize Cyber Vulnerabilities .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. .13 Basic Guidance on How to Respond to Cyberincidents . .. . .. . .. . .. . .. . .. . .. . .. . .. . .. .19 F Message from the Attorney GeneralCalifornia Attorney General Kamala D. Harris Picture California is at the center of the digital revolution that is chang- ing the world. Because of work done by companies right here in our home state, we are more connected – and empowered – than ever before. But we are also increasingly vulnerable, a fact underscored by the recent holiday-period data breaches that impacted millions across the country. Unfortunately, cyber- crime, data breaches, theft of proprietary information, hacking and malware incidents are now routine. Cybersecurity is not a new concern. In 2003, California became the first state in the country to require data breach notifications. And as of 2012, companies and government agencies subject to California law have been required to submit copies of their data breach notices to the Attorney General if the breach involves more than 500 Californians. That first year, we received reports of 131 data breaches, which our office reviewed and analyzed in the 2012 Attorney General Breach Report.1 This Report, and other studies, have repeatedly shown that cybercrime is largely opportunistic.2 In other words, the orga- nizations and individuals who engage in hacking, malware, and data breach crimes are mostly looking for “low-hanging fruit” — today’s equivalent of someone who forgets to lock her car door. And, in part because of the close connection between the data collected by websites or mobile apps and cybersecurity concerns, our Privacy Unit has published recom- mendations on aspects of privacy policy statements: Privacy on the Go, Recommendations for the Mobile Ecosystem and the California Office of Privacy Protection’s Recommended Practices on California Information-Sharing Disclosures and Privacy Policy Statements, both of which are available in the Business Resources section of the Attorney General’s Privacy web site at www.oag.ca.gov/privacy. Notably, the skyrocketing number of mobile devices has spawned new threats. Many of us now carry devices in our pockets that are more sophisticated than we ever could have imagined just a decade ago. Downloadable applications can render us vulnerable to fraud, theft, and other privacy concerns and mobile devices that are constantly connected to the Internet or local Wi-Fi networks face persistent security issues. Mobile security is an issue that must be on our radar screens as we move into 2014. I recognize that for many of us, computer technology and cybersecurity are complicated. But there are specific and straightforward steps that all small businesses can and should R oman Numeral 1 take to reduce their risk, as well as effective measures businesses can take to respond to cyberincidents should they take place. This Guide sets forth in plain language a few steps that any business can take to help protect itself, with a focus on small to mid-sized busi- nesses that lack the resources to hire full-time cybersecurity personnel. These firms are par- ticularly vulnerable. In 2012, 50% of all targeted attacks were aimed at businesses with fewer than 2,500 employees. And more significantly, businesses with fewer than 250 employees were the target of 31% of all cyberattacks.3 In developing these recommendations, we worked closely with security experts at Lookout, a leading mobile security company, as well as the California Chamber of Commerce. We appreciate their contributions and commitment to addressing the challenging task of pre- venting fraud and fighting cybercrime. As the state’s top law enforcement official, I am committed to protecting the safety, welfare, and privacy of our people and businesses. I hope this Guide will be a useful tool for all of California’s business owners as they continue to contribute to the prosperity of this great state. Sincerely,California Attorney General Kamala D. Harris Signature Attorney General Kamala D. Harris Roman Numeral 1 Executive Summary Relatively small investments in cybersecurity preparedness can yield significant risk reductions. Every business in California should follow the steps summarized below, and discussed in greater length throughout this Guide, in order to reduce the chance they will be a victim of cybercrime. These measures, however, cannot guarantee that businesses will avoid cyber- security incidents, and the Guide therefore contains recommendations for how to prepare an effective cybersecurity incident response plan. 1. Assume You’re a Target Small size and relative anonymity no longer ensure that you will be left alone. Any company, whether big or small, can be the victim of cybercrime. Just as it has become second nature for most of us to lock our front doors when we leave the house, assume you are a potential target and take basic precautions to protect yourself and your company. 2. Lead by Example Successful cybersecurity measures require the leadership and dedication of business own- ers. Cybersecurity is not simply the domain of the “IT person”; executive management has to get involved. Small business owners are uniquely positioned to ensure that they and their employees are following good cybersecurity practices. They are also in the best position to understand their company’s network and all the devices that connect to it. This requires dedicating the time and resources necessary to ensure the safety and security of their informa- tion assets. 3. Map Your Data To effectively protect your data, you first need to know the types of data you have and the location of that data. Comprehensively review the data you have stored on your IT systems, both on site and off, and with third parties (include backup storage and cloud computing solutions in your data mapping project). Once you know what data you have and where it is, take a hard look and get rid of what you don’t really need. Roman Numeral 2 iv 4. Encrypt Your Data Encrypt the data you need to keep. Encryption is an important step you can take to protect the data you have on your systems. In basic terms, encrypting data – whether it’s email, photographs, memos or any other type of electronically-stored information – encodes it so that those without the encryption keys cannot read it. Strong encryption technology is now commonly available for free, and it is easy to use. The great advantage to encrypting your data is that it renders it far less susceptible to hacking. Finally, machines that handle sensitive information like payroll or point of sale (POS) functions should ideally be on networks or systems separate from machines involved with routine services, like updating Facebook and checking email.Woman using cell phone 5. Bank Securely It is essential that small business owners put security first when they engage in online banking. This means that online banking should only be performed using a secure browser connection (indicated by “https” and/or a lock visible in the address bar or in the lower right corner of your web browser window). Online banking sessions should be conducted in the private mode of your web browser and you should erase your web browser cache, temporary Internet files, cookies, and history afterwards so that if your system is compromised that infor- mation will not be accessible to cybercriminals. In addition, uploads/S4/ 2014-cybersecurity-guide.pdf