For many company’s, cybersecurity is still an abstract concept, something they think they may have to deal with later but right now they are too small to be a target. Unfortunately this is less and less the case. Hackers are increasingly focusing on small and mid-sized businesses who lack the enterprise grade protection that many larger companies enjoy. But that shouldn’t stop you from embracing small business cybersecurity. In this Touchstone guide, we are going to talk about the key elements that you need to accomplish in order to have a robust and comprehensive small business cybersecurity program. Business owners are increasingly overwhelmed with the complexities of cyber security, but we plan to make it easy. So follow along and let’s jump right in.

What is Cybersecurity for Small Business?

Cybersecurity involves protecting the confidentiality, integrity, and availability (CIA) of sensitive data. In a small business context this means implementing basic security controls to protect your organization from cybercriminals. When done correctly, cybersecurity should reduce your organizations risk and leave you with a more confident workforce. Effective cyber security doesn’t have to be hard, in fact in many cases even low investments of time and resources can yield substantial results. Here are some basic steps you can take that will yield meaningful reductions in risk.

Identify the Information your Small Business Handles

Proper security starts with cataloging IT assets and data. The first step you should take is to get full and complete inventory of all of the IT assets your company is using, software assets, and version information. Every IT asset should be listed out, along with the operating system, and data held by the asset. There are numerous types of data but they include:

Personally Identifiable Information: (This may consist of names, phone numbers, addresses, or any other data that can be used to uniquely identify an individual

Personal Health Information: These are personal health records of individuals that can be tied back to the individual. If your organization handles PHI in a meaningful way you are likely bound by the HIPAA Security Rule and should seek immediate guidance on compliance.

Financial Information: This data consists of the financial information of your employees or customers and should be guarded with strict security measures. Implementing advanced data protection around critical information assets containing PII, PHI, and Financial Data is absolutely critical.

Once your inventory is complete you should have a solid understanding of what your IT assets are, what software is running on them, and what data is being stored on them.

Identify Small Business Cybersecurity Compliance Requirements

Your next step is to identify small business cybersecurity requirements that your organizations falls under based on your industry and the types of data that you handle There are a wide range of requirements ranging from PCI DSS, HIPAA Security Rule, state breach notification laws, FERPA, SOX, and the NYDFS Cybersecurity Regulation that can impose heavy fines if not adhered to. We recommend all small businesses follow a cybersecurity framework such as the NIST Cybersecurity Framework which can by default meet many requirements. Controls can be added or modified in order to meet additional compliance requirements.

In some cases it may make sense to speak with a qualified attorney or cybersecurity professional who can help you identify compliance requirements that you fall under. This is particularly the case if you hold PII, PHI, or financial information.

Conduct a Small Business Comprehensive Risk Assessment

Almost all major cybersecurity compliance requirements call for a Risk Assessment to be conducted. Risk Assessments involve cataloging existing IT assets, prioritizing them based on criticality, then identifying the risk level each of those IT assets faces. A Risk Assessment serves as a critical next step towards building your small business cybersecurity program. By identifying high-risk assets, you can focus your security resources to ensure that you have an efficient cybersecurity program.

By this point you should already have a well organized list of IT assets. Take the time to think what the biggest risks to each one are. Do you have externally facing servers? Is your IT infrastructure on-premise or in the cloud? If the answer is on-premise, you need to consider physical risks to your building such as wildfires, floods, and earthquakes. For many organizations, Ransomware is one of the most significant risks. We strongly recommend identifying ransomware recovery services before you suffer an attack in order to decrypt files as quickly as possible.

Here is a U.S. government tool that can help:

U.S. Government Risk Assessment Tool

Create Clear Small Business Cybersecurity Policies, Procedures, and Plans

Every employee should know what is expected of them from a security perspective. Take the time to create high-quality well documented cybersecurity policies and procedures. In addition, you should have several pieces of documentation such as an incident response plan, vulnerability management plan, a business continuity plan, and policies around patching vulnerabilities. All users should know exactly what is expected of them in regards to cybersecurity, and failure to comply with policies and procedures should result in reprimand. Here are some resources you can use:

SANS Cybersecurity Policies Library

FCC Cyberplanner

Provide Security Awareness Training for Small Business Employees

This task cannot be overstated. If you are looking to create a small business cybersecurity program, providing end-user security training is absolutely critical. Users should at a minimum, receive training on threats such as phishing attacks, DDOS attacks, and watering hole attacks. They should also be trained to understand the different types of data they may be dealing with on a day to day basis (such as PHI and PIII) as well as compliance requirements that they are legally obligated to meet. Training has consistently been shown to have one of the highest ROI’s for small business cybersecurity programs. End-User Training should also include what to do if a user discovers that malware or ransomware has been installed on their computers. Touchstone Security offers high-quality end-user training that can help you meet numerous compliance requirements while leaving you with a safer and better equipped work force.

Implement Basic Small Business Security Measures

While all of the above are important. Don’t overlook very basic security measures that can thwart many cyber attacks. All users should be required to set strong passwords for access to any internal IT Infrastructure. Operating systems should be uniform and should be kept regularly patched. Two Factor Authentication should be used on every single business application possible and cyber threats should be reported to management as soon as they are encountered. Cyber criminals often exploit the most basic lack of protection, by taking even a few easy steps you can reduce your risk substantially.

Access to services should also be configured based on the principle of least privilege. Essentially, employees should only have access to services that they need to use on a day to day basis. For example, only your account department should have access to banking services, only your IT department should have administrative access to IT systems etc. Assign permissions as conservatively as possible in order to minimize risk.

Test and Optimize your Small Business Cybersecurity Program

The last step in creating your small business cybersecurity program is to test and optimize. Ensure that you have documented all critical IT systems, that you have policies in place to keep them regularly patched. and that you have an incident response plan and disaster recovery plan in place in case the worst happens. Effective cybersecurity takes a whole of business approach, and requires the involvement of cybersecurity technologies, information system professionals, as well as a in-depth understanding of cybersecurity risks. Cybersecurity for small business doesn’t have to be hard.  Additionally you should engage in:

– Regular End-User Security Awareness Training

– Annual or Biannual Penetration Testing

– Routine Data Classification

– A designated cybersecurity response team (or outsourced company)

– Security Engineers on standby ready to help

Still Feeling Lost? Touchstone Security can help your Small Business

Our team of information security professionals has decades of experience helping a wide range of businesses improve their information security practices. We can work with your small business to secure your information systems, help achieve compliance objectives, and improve security across the board. We focus on helping our clients implement practical cybersecurity roadmaps that provide real and meaningful protection of critical data at a small business price point.

Get a free 60-minute compliance evaluation with a senior-level CISO