Cybersecurity can be a big problem for small business. A report by the Ponemon Institute shows that the number of small and medium size businesses that experienced a cyber-attack in 2018 increased to 67%. And only 28% say they can effectively mitigate these treats. So, while small businesses are particularly vulnerable to attack, it seems they don’t have the training and resources to implement the type of security programs they need.
However, there are a number of cost-effective steps small business can and should take that can greatly increase their security. The Center for Internet Security (CIS) offers a regularly-updated list of security controls that any size business can implement. CIS controls are a set of 20 recommended cybersecurity actions put together by a broad range of government and industry experts. The controls are broken down into groups based on importance to help organizations prioritize a smaller number of highly effective actions.
Not all controls are right for all business
One advantage of the CIS controls is that they are customizable to fit your organization’s needs and resources. To help with this, the CIS released a guide that identifies some of the controls most important for small business and can be implemented with little to no cost. Here is an outline of their recommendations:
Know Your Environment
In order to properly implement a cybersecurity program, the first thing you need to do is actually know what you need to secure. It is therefore essential to understand three basic things: the value of data you have, what devices are connected to your network, and the software that is in your systems. Conducting an inventory of your data and software alongside regular scans of devices on your network will go a long way toward preventing attacks.
Protect Your Assets
The CIS outlines two approaches small business should take that will greatly protect their outlines. The focus is not just on implementing technical security measures, but also on training employees to prevent accidentally damaging your systems.
The first step is to secure technical baselines. Often attacks will exploit weakness in applications running on your systems, so it’s important to ensure all operating systems and applications are updated with the latest security patches and are securely configured. The CIS also recommends using anti-malware software to regularly scan your environment. Most systems will include built in anti-virus software, but there are also plenty of low-cost alternatives available.
When it comes to educating your employees, the first step is to train the entire staff on identifying phishing schemes and phone call attacks. These can target employees at any level of an organization, so it’s essential everyone is properly trained. You will also want to implement more targeted trainings by identifying users with access to sensitive information and educating them on proper cybersecurity behaviors.
Prepare Your Organization
The last step the CIS recommends all small business take is to prepare for the possibility of a cyber-attack or data breach. While the idea is to prevent these from happening in the first place, it’s important to have systems in place should the unexpected occur.
To mitigate the damage of data loss the CIS recommends performing automated weekly backups of systems that contain important information and to ensure at least one of your backups is not accessible through the network.
The CIS also recommends conducting periodic incident response simulations. It’s essential to identify and train those within the organization who will serve as lead in the event of an attack and to run through possible scenarios. You will also need to familiarize yourself with state and federal regulations to understand what notification requirements you need to adhere to.
Of course, this shouldn’t be understood as a comprehensive guide for small businesses. It contains only a small subset of the complete 20 controls but represents what the CIS views as a barebones guide that small businesses can implement with only small cost to them. Check out the full report for more details on these steps as well as a list of small or no cost programs the CIS recommends to help with implementation.
Once you’ve set up these simple security procedures, you might want to take a look at the full list of CIS controls to see what additional steps you can take to create the most effective cybersecurity program you can. Don’t be a statistic on next year’s Ponemon report.