editione1.0.0
Updated October 9, 2023🚀 As explained by Erica
Mini celebration time! If you have made it this far and have been following along, then the digital tools used in your business are well secured. Your staff also have access to some great tools, like password managers, and are managed by tools that enable them to make more secure choices, such as required 2FA on email providers.
This last chapter is about how you can make small changes to how your business operates to protect yourself. It is less focused on the technology (although it might be involved), and more focused on the people and process.
There are two things you need to consider each time you engage or work with someone outside the business:
What are they doing for me or the business—what kind of data, information, or access do they need?
How are they going to protect that data, information, or access?
Ultimately, you provide a service or product, and people (inherently or explicitly) trust you to do it well and safely. When you are engaging or using a third party for your business, you are sharing some of the work and risk with them. You need to make sure they handle and manage that risk, or take the same or similar steps towards security as you do. You can always delegate or hire others to do work, but the buck stops with you when it comes to risk ownership.
We used to have an old way of thinking, that if you hired a third party to do something for you, the risk or issue is on them if something goes wrong. This isn’t the case anymore, because we have seen enough security incidents in the news to know that when things go wrong, it is the data custodians and owners who lose out.
For example, if you hired an accountant to do all your business bookkeeping and invoicing, and they lost access to their accounting software account, there is a lot of damage someone could do with that access. One of the more dangerous and subtle things they could do is change the invoice details to show a new bank account for payments to be paid into. This incident could take weeks to notice, and when you find out you might take your anger and frustrations out on the accountant. At the end of the day though, you will have to work extra hard to try and keep your business afloat and recover those lost payments—all while trying to run the business. Even in a high-litigation culture like in the US, these incidents are still forming legal precedent and there are no guarantees on who wins or loses in these situations. Time is better spent doing due diligence early to lower the risk of these types of events happening in the first place. We now know the best and easiest way to stop these common attacks would be making sure the accountant sets up 2FA when accessing your business’s accounting software.
We learn a lot in hindsight with common incidents like these. These incidents teach us the importance of earning trust, assigning trust and access on a “need-to-know” basis, and setting up our tools and processes to catch when trust is broken. Let’s go through a few things you can do to action these lessons.
To manage your security risk while getting help from others, let’s rephrase the above two considerations into principles you should follow:
What is the minimum amount of data, information, or access they need to still do their job?
How can I control how they access that data, information, or access (so I know it is going to be secure)? Or how can I confirm how they will be securing it (so I can keep them accountable)?
The first principle is all about limiting the impact of the risk of something going wrong. If your accountant doesn’t provide you invoicing services, then they shouldn’t have access within your accounting software tool to manage invoice settings. This just opens up and increases the risk of their access being used to cause big damage to you. This isn’t about being secretive or cagey, it is about taking the security of your business seriously and limiting the chances of something going wrong if access or data does not need to be shared. Think of it as the same as when you hire someone to come to your office to clean, or hire someone to watch your pets while you are away from your home. You might give them the keys so they can come in and do their job, but you would leave important things—such as important documents, money, and valuables—locked away in a drawer or safe.
The second principle is about setting or sharing what is needed safely. You might be in control of this. For example, you might subscribe to an online accounting tool, and invite your accountant to join so they can see your account. In this case, you want to set things up as best you can to make it safe from the start. This includes:
limiting what the third party can do, and making sure the access rights they have are as limited as possible
setting or enforcing specific security for people you invite.
For example, some tools might allow you to force all users you invite to use 2FA. Or you can configure the tool to email you when settings or configurations have been changed, so you at least know what that third party is up to and if they are changing things that are outside the realm of what they should be doing.
However, you might not always be in control, perhaps because you are paying that third party to provide a managed service. Very similar to how we vetted our website service provider earlier, there will be more steps to take to vet these types of outsiders, covered in the next section. You will likely need to then share data and information with them, and you should do this in a secure way to set the standard for how they can expect to communicate or share things with you. This includes:
Understanding the type of documents, data, and information they will need access to. This will have a big impact on what you will need to set up when it comes to safe ways for sharing documents or communicating with each other.
If the managed service provider helps you with preparing marketing content and materials for your business, you probably can stick with just sharing documents via email (if size limits are not an issue) because the data in those documents are not risky.
If the managed service provider is helping you manage your website, domain, and email provider, you care more about having a secure way to communicate so you can stay in the loop about what is going on, and any changes that might need your approval.
If the service provider is doing your annual accounts, payroll, and bookkeeping, you care about having both a safe way to share sensitive documents (like payroll details) and a safe way to communicate about ad hoc topics, like clarity on reconciliations or approval on new invoices coming through for payment.
Agreeing and setting up a safe channel for sharing sensitive documents. The key part of safe here is making sure it uses a channel that requires both sides to be “logged in,” requires documents to be shared specifically between you and the third party, and uses encryption. Encryption is like opening a can of worms, and in most cases you’ll be using document-sharing tools in your browser, such as Dropbox, Microsoft OneDrive, or Google Drive. For browser-based tools, you’ll want to check that it uses HTTPS.
Some good options here are using a document or file sharing tool and sharing just a specific folder with an outsider’s specific email. Avoid using “publicly accessible” links, and stick to listing the users by email instead. You can also use shared channels on communication tools like Slack if your team is already using something similar internally.
To focus on the word sensitive, sometimes a document might not have any personal or sensitive business information in it, and you can share it by email. This is OK, but if you are sharing more sensitive documents, you want to do the work early and set up a safer channel.
Agreeing on the best way to share ad-hoc data or information, and verify requests. Aside from sharing documents, you’ll want to agree on a standard way of communicating. For most things, email is perfectly fine. If you have regular communication where the third party is asking for approvals, or for you to make changes, you should make sure there is always a step to verify a request.
Relying on just one channel of digital communication can be risky. People can lose access to email, and this is entirely outside your realm of control. Having a simple second step, like a text message or phone call, to double-check when these requests are coming through is all you need to verify a request.
Following these steps, you’ll have a solid baseline and foundation to work on when it comes to securing the way you work with others. The next few sections of this chapter will narrow down into specific use cases and contexts.
So you can set the groundwork for how you share documents and communicate with others. This is the part of the business relationship where you can control things. There is also the other side that you have to consider—the ways the third party operates in general, and whether or not you can trust them with your business. You can’t control how a business operates, but you can go through the steps to vet or check how they run things and see if it is good enough for you.
The good enough bar you set is the same bar you would set for yourself if you were to be doing that service or job. It can be hard to vet this information; the service might be from a large global provider who doesn’t care about “earning your trust” because they have plenty of people coming to them for business and it is not worth their time to go through an exercise like this. It can also be hard because you are essentially asking them to tell you where they do “good security,” which inversely tells you where they are not doing good security. You are kind of asking them where their holes are, which would be very helpful information to an attacker.
Vetting a third party is like a dance: it might not be very fluid from the start, you might step on some toes, they might step on yours. You might even find a different dance partner if you can’t quite dance in the same rhythm. This happens, and is a great way to vet out anyone who might not take security seriously. If toes are stepped on, it is important to bring the conversation back to “We care about security, and we need anyone we work with to care too.” It might be you asked them a question that they can’t answer directly, but they can give you some other detail to allow you to build that trust that they too care about security.
To help guide you through this tricky dance, here are a few starting questions that most third parties should be able to answer:
Do you and your team go through any security training? What is the security culture like within your organization?
Would you notify me or my business if there was a possibility, or if it was confirmed, that our data was lost? How quickly would you notify us, and how would you notify us? Do you have key incident or resiliency principles you aim for when it comes to security or privacy breach responses?
Where do you store our business’s data? Are you able to and do you protect access to our data using granular and limited access controls, 2FA, and strong and up-to-date encryption practices?
To give you an idea of what good and not so good answers to these questions look like, take a look at these examples using likely answers from a smaller, local service provider.
Question: Do you and your team go through any security training? What is your security culture like within your organization?
Not great answer: “No training is provided to the team,” or the third party is unable to provide examples of positive team culture.
Better answer: “We don’t provide formal security training because we are a small team; however our business leadership team leads by example on security. We provide the team with password managers for storing passwords, and the team is encouraged to ask for help from anyone on the leadership team if they think there is a security problem. We have a channel in our team’s communication tool where people can ask for help on any security matters, and the team actively uses it.”
Question: Would you notify me or my business if there was a possibility, or if it was confirmed that our data was lost? How quickly would you notify us, and how would you notify us? Do you have key incident or resiliency principles you aim for when it comes to security or privacy breach response?
Not great answer: “By agreeing to our terms, you agree that we may not notify you of breaches. You may refer to our press releases for any news about the service, and contact us if you have any concerns.”
Better answer: “We aim to notify you as soon as we can (via email) of any breaches that may have involved your data. While we can’t provide details of our incident response process, we can confirm our key goal in an incident is to reduce the spread and impact of an incident. We will engage with other third parties, such as CERT or police, to get help as needed.”
Question: Where do you store our business’ data? Are you able to and do you protect access to our data using: granular and limited access controls, 2FA, strong and up-to-date encryption practices?
Not great answer: No comment, or generic lines that state “data is encrypted” without specifying what data that refers to.
Better answer: “We can’t provide evidence or details, however we can confirm that your data is stored within our platform, where we use multiple security controls to protect our customer’s data. This includes: requiring multi-factor authentication to gain access, principle of least privilege for access within the platform, and strong and current encryption protocols and practices. Any copies of data outside the platform are secured using similar controls.”
Invoice scams are a common type of attack recently because of the low-effort and high-value reward from an attacker’s point of view. We explained how these attacks work in Disable Automatic Forwarding. As you know now, security is all about multiple steps you can take to protect yourself, rather than “this one weird trick that fools all hackers.” Those don’t exist.
Taking the technology outside the equation, one step you can add to an already existing payment process is to verify any new or change requests. This means:
When a new contact that needs to be paid is onboarded, you call them or chat to them in person to confirm where payments are made.
When an existing contact needs to change where they are paid to, you call them on a number you have used before and ask them to verify the new account.
important It doesn’t matter much if you call the contact or see them in person, the main point here is that any new or changed data needs to be verified outside of the original digital channel. You can even text them if you want, so long as you are not relying on the same communication channel as the original request. If that contact’s email is under control of an attacker, you can catch and stop the attack before you pay into the wrong place.
The best way to dovetail this into your existing process without adding too much friction is to have it as a step each time you go to add or edit a contact in your accounting software.
confusion Make a note in any description or note field of the date you verified the details, and with whom. This way there is a record you can fall back on just in case. If you outsource your invoicing and payments to a third party, make sure this step is explicitly included in your terms of service or agreement.
Ideally, anyone who is paying your invoices should do the same. And it doesn’t hurt to ask your customers to verify any invoice changes if they come through by calling you or reaching out to you directly. They might not be able to accommodate, but it is worth asking.
Sometimes things go wrong, and you will need help. The thing you can do now to help future you is to make that contact list now of who you would need to contact. To get started, start with a very simple spreadsheet or document (that is stored in a central place, like a shared drive) and list out all the key roles and people involved (if it is outsourced to someone else). This may include:
email administrators
website and domain administrators
your country’s Computer Emergency Response Team (CERT), for example the US Cybersecurity and Infrastructure Security Agency (CISA)
local police, or a specific team within your police department that deals with cybercrime or computer crimes
lawyers
insurance companies (if covered for technical or cybersecurity coverage).
confusion When calling groups like CERT or police, every country is different. There might be different groups involved to help with security incidents, or the jurisdictions might be different if there are local or national groups involved. If you are unsure, start with local policy and ask where you can go for help. It might not be them, but they might be able to refer you to specific national groups or other specialized groups who can assist. If you reach roadblocks with your local police, try finding your country’s CERT organization. Some of the larger ones, like CISA, might be slow to respond, though, so don’t rely on them for immediate support.
The last group you want to add to that list is a local IT support group. If you already have a managed service provider who handles your email, website, and domain administration, they might be able to fill this role for you. If not, you will want to find a group that can:
provide immediate support during a time-sensitive incident
help with restoring any devices or systems from backups
reset access to accounts or systems to kick an attacker out
help with taking copies of evidence that could be used to support any reports you open with police or CERT groups.
It is best to find this group now, rather than later when you are going through an incident. This way you can agree terms and rates up front, and you can skip that usual first step of getting to know each other and get straight to problem solving when the time comes.
You will need to set some lightweight processes for how you manage people inside the business as well as those outside the business. This includes people who are hired, as contractor or permanently, as well as those who leave.
Managing new starters is easier than managing leavers. You want to start small on access, and add over time. If you run into problems where they don’t have enough, it is less risky to open access up rather than try to claw it back when you notice them (accidentally or intentionally) misusing this access.
Leavers are a bit harder, and it helps to have the process clear beforehand. The best tool at your disposal here is a quick onboarding and offboarding checklist. You can store it anywhere—in a task management tool, or on a document stored on your computer. So long as it is something easy for you to pick up, create a unique copy for a specific person, and save it for your records, it should work fine.
On that checklist for offboarding, you want to include the following steps:
Disabling their main email provider account
Collecting any work devices and physical access cards/keys they used
Removing them from the team password manager
Removing or blocking their device on your email provider’s list of devices in use
Rotating any passwords for the shared accounts, tools, or devices they had access to, and re-storing those in the team password manager
This list will obviously depend on what tools, devices, and access you gave them. You can also tell how hard this list would be to tackle if you didn’t have things like an inventory of tools, accounts, and devices used in your business.
In order to run a business, we need to trust our team and outsiders to do work on behalf of the business. Having lightweight processes like these can help you keep that trust in check, and make sure that it is revoked when it is no longer needed. Reviewing your users every few months can help catch any that slipped through the cracks.
🚀 As explained by Laura
When discussing security management for a business, it helps to have a structure to work with. This structure will group the measures you can take by the type of action and impacted areas of the business, letting you review and approach each area in turn rather than trying to tackle everything at once.
There are a number of frameworks for information security that each define their own version of these areas. In this section we will cover a simplified version of the international (and global standard) framework, ISO 27001.