Security for Small Business – Critical Crypto
As part of an ongoing series, we’re taking a look at security for small business, the tools that are available, and the best practices that keep your business ahead of the curve.
Cryptography is hard. It’s a deep field filled with intense mathematics and littered with traps that can easily snare the unwary. That being said, there are critical crypto tools that help set even small businesses apart and help to protect the long-term viability of their enterprise.
If your business depends in any way on software, technology, or Internet communications, then it also depends on using these tools securely. The best way to do so is with strong cryptography whenever and wherever possible. Critical crypto tools help protect customers’ data, ensure the integrity of orders and billing contracts, and prevent malicious actors from interfering with your ability to conduct business.
Unfortunately, knowing when and where to apply crypto in a business setting can be difficult, even for those with years of experience. To help keep things straight we’re outlining three different realms in which your small business can deploy critical crypto infrastructure to get the best return on investment.
By default, the web is insecure. Any page delivered over a standard HTTP connection is delivered in plain, unencrypted text format. Anyone else on the network can see exactly what server your browser is talking to, what data you’re sending, and what information you’re receiving. Worse still, malicious actors can manipulate this data (both that sent by and received by you) to serve their own ends.
Over the past several years, the web introduced the notion of HTTPS connections. They’re nearly the same as the unprotected connections you’re used to, but leverage a certificate delivered by the server to encrypt all communications between it and your browser. Thanks to this secure communications layer -- secure socket layer (SSL) or transport layer security (TLS) -- all of the information sent or received by your browser is protected from prying eyes.
Until a few years ago, very few websites implemented SSL connections. The certificates were expensive and difficult to set up, making it hard for anything smaller than an enterprise IT team to configure. Today, though, SSL powers the backbone of the web and is freely available to anyone.
Further, major browser vendors are starting to penalize websites that fail to deliver content securely. Firefox and Chrome will both display errors and warnings if a non-encrypted page asks for user authentication information. Google takes it a step more by penalizing sites that use insecure connections in search results.
Implementing SSL on your website will help protect your customers from abuse by bad actors. It will help protect your business’ data from theft by malicious third parties. SSL will even improve your search rankings!
Encryption at Rest
Any data your business stores should be encrypted at rest. This protects you from potential theft if someone walks off with a machine, hard drive, or backup disk.
Last week we talked about different reasons to protect application integrity through the use of backups (primarily offsite). If you haven’t yet, take some time to start working through a backup strategy for your most critical infrastructure.
Once that’s finished, focus on integrating some critical crypto tools into that strategy. Offsite backups can be encrypted, but so can the drives you use day-to-day.
A third step to take is to encrypt private user information so that, even if it’s ever leaked, no data is exposed to a third party. This becomes more critical in some industries that require cryptography and enforce strong regulatory standards. That’s a topic we’ll revisit next week.
Email itself is inherently insecure. Messages are delivered in unencrypted plain text and passed between multiple servers before they reach the intended destination. The opportunities available for malicious individuals to intercept, eavesdrop upon, or modify messages are countless.
If you’re using email to communicate with customers, keep this in mind!
Never ask customers for identifying information over email. Don’t prompt them with login links or forms or surveys. Don’t send sensitive information to them in the form of an email. Remember that every message can be intercepted, and it’s relatively trivial for a bad actor to impersonate your well-meaning message and steal information from your customers.
If it makes sense for your business, cryptography can also be used in email to help assure recipients that your company was actually the sender of a message. Critical crypto tools like PGP and SMIME enable you to sign outgoing messages. Recipients can then verify the signature attached to a message to confirm your identity as the sender.
PGP uses an open public key infrastructure where you generate your own key and have it cross-signed by other parties. A recipient doesn’t need to necessarily know or trust you, so long as they ultimately know or trust someone who has counter signed your key.
SMIME uses certificates issued and signed by independent, known certificate authorities. Like PGP, it’s completely free and helps your contacts verify that a message allegedly sent by you was actually sent by you.
Email crypto isn’t a strict requirement for small business, but definitely helps raise the level of trust through which your customers interact with any messages you send.
One Thing Right Now …
Every website should be served over HTTPS. This protects both the data being sent to you from your customers and helps ensure the integrity of information sent by you to them. Luckily, setting up a secure connection for your website is free and easy.
The open source Let’s Encrypt project is backed by the Linux Foundation and provides free SSL certificates for any website. Many web hosts provide easy walk-through tutorials that help you install an SSL certificate on your site by yourself:
Likewise, many managed hosting plans will set up an SSL certificate for you. For managers focusing on the non-tech parts of the business, hiring a reputable firm to manage the server and automatically renew certificates on your behalf is a solid choice.
The best step forward towards a secure website or web application for your business is ensuring critical crypto systems are in place. The one thing you can do to get started is to make sure your website is being served over HTTPS with a valid SSL certificate.