Written By: Sindi Major-Martinez, CEO and Founder of CEM Solutions Group
To learn more about the Loudoun Technology Coalition, click here.
For many small businesses, dealing with cyber security can feel daunting and like an unfair fight. Like David vs. Goliath, it can feel like we are weak compared to all the cyber threats out there. After all, if large organizations like Target and Verizon can’t keep the bad guys out, how can a small business keep them out? As unachievable as it may seem, there are simple steps that small businesses can take to reduce their cyber security risk.
Cyber Security Frameworks:
First let’s talk cyber security frameworks. Frameworks provide a map or blueprint for building a cyber security program that manages the risks to data and reduces vulnerabilities in your organization. There are various frameworks COBIT, ISO 27001, HITRUST, NIST CSF. The NIST CSF is quickly emerging as the gold standard among the cyber security frameworks nationally and internationally (https://www.nist.gov/cyberframework).
There are 5 core components to the NIST framework.
The best defense is a good offense when it comes to cyber security and that is why a framework can be so helpful to small businesses. The important thing to remember is that cybersecurity is not just a technology issue, it’s an organization-wide issue and a business survival issue.
The following outline’s steps that small businesses can take using the NIST CSF Framework to protect their organizations against cyber threats and reduce their risk.
Identify: Where do we stand now?
The first step in any cybersecurity strategy is to know where you stand right now. Conduct a risk assessment of your organization’s I.T. environment. A risk assessment should include asset management, outline business the environment that you operate in, governance that your organization must meet (HIPAA, PCI, FEDRAMP, GDPHR, SOX, etc.), a risk management strategy, and supply chain risk management.
Identify current vulnerabilities and develop an action plan on what your organization needs to fix based upon their severity and impact they could have on your business. It is critical to determine how much risk that your organization can tolerate in the event of a breach. Talk to your business insurance carrier about whether your cyber security policy covers all possible breaches. Recently, in a conversation with a friend who is a commercial insurance broker, he informed me that social engineering attacks are not covered under the cyber security policy because it is considered a criminal act.
Protect: How do we continually protect our organization from cyber security threats?
Protecting your organization includes identifying management and access controls (physical and online), awareness and training, data security, information processes and procedures, on-going maintenance, and utilizing the right technology to protect your organization.
Cyber Security Policy and Procedures
Does your organization have cyber security policies? If so, are they incorporated as part of your hiring procedures? Has your organization determined which technology tools will be used to protect the organization and a plan to monitor the technology tools to confirm whether they are effective?
Building a Cyber Security Team
Build your cyber security team. Your cyber security team should include representation from every area of your business. This is not an I.T. only effort. Each person on the team should have a role that they play in keeping your organization secure.
Educate and build awareness among your team
Educate your staff. Most breaches occur through phishing emails which present themselves as legitimate emails. Your team should be educated on what to look for in emails. In addition, phishing tests should be conducted on a regular and random basis to keep phishing front of mind.
Detect: Continuously Monitoring your Network.
Detection is key to identifying potential breaches. A comprehensive detection program should include notifications of anomalies and events, continuous security monitoring, detection processes. In addition to protecting an organization’s firewalls, switches, servers, endpoints need to be monitored with SIEM (Security Information and Event Management) tools. What is an endpoint? Desktops, Laptops, Smartphones, Tablets, Servers, Workstationswith a remote connection to the network. Each endpoint creates a potential point of entry for security threats.
Respond: How will your organization respond in the event of a cyber security event.
Planning on how you will respond in the event of a breach. This should include a communication plan to all stakeholders notifying them of the incident, analysis of the event, mitigation of future events, and what improvements can be made to prevent incidents in the future.
This is where your cyber security team will play a key role in making sure the proper response is followed and no one takes on “the sky is falling” role.
Recover: How your organization will recover from a cyber security event.
Once an incident has been stopped, it is important for the cyber security team have a “post incident meeting” to review what happened, how did it happen, the steps that were take to address the breach, and what changes need to be made in policy and procedures, employee education and awareness, and the technology changes or additions that need to be made to reduce the probability of future breaches.
Steps in the recovery process should include recovery planning. How will you continue to operate? What improvements need to be made to prevent future events? What changes will be made to improve security that need to be communicated to stakeholders?
Implementing a cyber security framework for your small business can seem daunting with all the other priorities that exist in small businesses. Keep in mind that doing something, like David’s use of a rock against Goliath, will benefit your organization more that doing nothing at all. Take baby steps that enable you to implement your cyber security framework one step at a time. If you do not know where to start, or do not have the expertise to help you implement a framework in house, there are consultants out there to help.
CEM Solutions Group is a I.T. Consulting, Managed Security Services Provider (MSSP) and Managed Service Provider (MSP) located in Loudoun County Virginia. We are here to help your organization address your cyber security needs. Call us today at 703-840-5441.