Cyber Guidance for Small Businesses - Part 1
A Different Kind of Cybersecurity Advice
Cyber incidents have surged among small businesses that often do not have the resources to defend against devastating attacks like ransomware. As a small business owner, you have likely come across security advice that is out of date or that does not help prevent the most common compromises. For example, odds are that you have heard advice to never shop online using a coffee shop’s wi-fi connection. While there was some truth to this fear a decade ago, that’s not how people and organizations are compromised today. The security landscape has changed, and our advice needs to evolve with it.
This advice is different.
Below, we offer an action plan informed by the way cyber-attacks actually happen. We break the tasks down by role, starting with the CEO. We then detail tasks for a Security Program Manager, and the Information Technology (IT) team. While following this advice is not a guarantee you will never have a security incident, it does lay the groundwork for building an effective security program.
Role of the CEO
Cybersecurity is about culture as much as it is about technology. Most organizations fall into the trap of thinking the IT team alone is responsible for security. As a result, they make common mistakes that increase the odds of a compromise. Culture cannot be delegated. CEOs play a critical role by performing the following tasks:
Establish a culture of security. Make it a point to talk about cybersecurity to direct reports and to the entire organization. If you have regular email communications to staff, include updates on security program initiatives. When you set quarterly goals with your leadership team, include meaningful security objectives that are aligned with business goals. Security must be an “every day” activity, not an occasional one. For example, set goals to improve security of your data and accounts through the adoption of multi-factor authentication (MFA) (more on that below), the number of systems you have fully patched, and the number of systems that you backup.
Select and support a “Security Program Manager.” This person doesn’t need to be a security expert or even an IT professional. The Security Program Manager ensures your organization implements all the key elements of a strong cybersecurity program. The manager should report on progress and roadblocks to you and other senior executives at least monthly, or more often in the beginning.
Review and approve the Incident Response Plan (IRP). The Security Program Manager will create a written IRP for the leadership team to review. The IRP is your action plan before, during, and after a security incident. Give it the attention it deserves in “peace time,” and involve leaders from across the organization, not just the security and IT functions. There will be no time to digest and refine it during an incident.
Invoke the IRP even when you suspect a false alarm. “Near misses” drive continuous improvements in the aviation industry, and the same can be true for your security program. Never let a near miss go to waste!
Participate in tabletop exercise drills (TTXs). The Security Program Manager will host regular attack simulation exercises called tabletop exercises. These exercises will help you and your team build reflexes that you’ll need during an incident. Make sure your senior leaders attend and participate.
Support the IT leaders. There are places where the support of the CEO is critical, especially where the security program needs the help of every staff member. Take ownership of certain efforts instead of asking IT to do so. For example, do not rely on the IT team to persuade busy staff that they must enable a second way to sign-in to their email by enabling MFA. Instead, make the MFA announcement to the staff yourself and keep track of the progress.
Personally follow up with people who have not enabled MFA. Doing so creates a culture of security from the top.
A note on MFA: Multi-factor authentication (MFA) is a layered approach to securing your online accounts and the data they contain. It’s the idea that you need more than a password to keep your data and accounts safe. When you enable MFA for your online services (like email), you provide a combination of two or more authenticators to verify your identity before the service grants you access. Common forms of MFA are SMS text messages sent to your phone, 6-digit codes generated on a smartphone application, push notifications sent to your phone, and physical security keys.
Using MFA protects your account more than just using a username and password. Users who enable MFA are MUCH less likely to get hacked. Why? Because even if one factor (like your password) becomes compromised, unauthorized users will be unable to meet the second authentication requirement ultimately stopping them from gaining access to your accounts.
https://www.cisa.gov/cyber-guidance-small-businesses