Are you looking for a cybersecurity plan for a small business?
One that is actually affordable and keeps out the hackers?
Then you will love today’s post.
Because I’m going to show you how you can build out an affordable but highly effective a small business cybersecurity program.
Don’t have time to read the whole guide right now?
No worries. Let me send you a copy so you can read it when it’s convenient for you. Just let me know where to send it (takes 5 seconds):
A Simple Small Business Cybersecurity Plan
Here is a simplified small business cybersecurity plan:
- Understand your business processes
- Identify the risks facing your business
- Implement basic security controls
- Implement advanced security controls
- Establish processes around monitoring and auditing
- Develop contingency plans for responding to incidents
Let’s dive in.
You can choose a chapter below to jump straight to it.
Understand Your Business
Identify Your Risks
Basic Security Controls
Advanced Security Controls
Monitoring & Testing
Cybersecurity Tools for Small Businesses
Step 1: Understand Your Business
If you follow the news, you probably see the announcement of a massive data breach almost weekly.
And you may find yourself wondering:
If the large companies can’t stay secure, how does my SMB stand a chance?
You actually have an easier job than the large companies
You just have to do it right.
Before we start talking about ways to identify the critical components of your business, I want to ask you something:
Why do cars have brakes?
Think about it…
So they can drive faster!
So why do businesses have cybersecurity?
So they can innovate and grow faster.
Cybersecurity should not be a hindrance to your organization.
Security professionals are too often thought of as the guys who always say you can’t do the things you want to.
Sure, there are insecure actions that should be avoided, but those responsible for security should come up with solutions that are secure – not just say no.
Let’s look at the first step in building a security program for your small business.
Identify the critical components in your business
The first step in the small business cybersecurity plan is identifying the critical areas of your business.
These are the areas that your security plan should focus on protecting.
If your organization is like most small businesses, you have a limited IT and cybersecurity budget.
Thus, you must prioritize your security program around the critical areas of your business.
You can ask a few questions to help clearly establish your priorities.
Question #1 – How does your business make money? What critical apps or assets could cause large damages to the business if they were breached?
For example, if you run a small accounting office, the computers and accounting software that you use may be your most critical assets.
If you work at a law firm on the other hand, your most critical systems might be the ones housing all of your clients’ confidential data.
It could damage your reputation and even their cases if that data is compromised or leaked.
For a manufacturing facility, their most critical systems could be those surrounding their shipping department.
If they can’t ship parts to their customers, they won’t get paid, right?
So, begin your small businesses’ cybersecurity plan by taking the time to understand what parts of your business are the most critical.
Question #2 – How much downtime or revenue loss can your business survive?
You are likely thinking that you can’t afford any downtime, but you have to understand just how much downtime you can actually have before your company suffers.
Again, you have to refer back to the critical areas (the money-making components) of your organization.
A small attorney’s office makes money in a very different way than an ecommerce store.
The attorney’s office could probably handle more downtime than an ecommerce store.
Maybe they could revert to using pen and paper while their systems were restored.
On the other hand, if the ecommerce store had all of its systems go down, they are completely dead.
Let’s do a little math exercise.
Imagine you are the owner of an ecommerce store.
Your store makes $100,000 per month in online sales.
This would mean that in the average month, you are selling $138 of merchandise every hour or $2.31 every minute.
Now, what’s the most damage your business can take in a month?
$500? That’s only 3.6 hours of downtime.
So, figuring out which departments in your organization contribute to your profits the most can help you prioritize your security program.
Note: Your entire organization is important in terms of security. But, when building out a phased small business cybersecurity plan, it’s important that your efforts are focused and prioritized in the right way.
Question #3 – Who has access to business-critical assets, apps, and information, and what will happen if they are breached?
You should think about a few groups – internal and external.
Internally, you should practice a need-to-know based system for managing access control.
One security failure that we often see among small businesses is that people wear many hats and restricted access is ditched — everyone gets access to everything.
This is a big mistake!
Only give employees access to the accounts they need to do their job.
You may even need to tell them that it’s not because you don’t trust them, but because you want to reduce your company’s attack surface.
Externally, you should think about vendors or contractors that you may have given access to while troubleshooting.
If you hired a web developer to build your ecommerce website, do they still have administrative access to the site?
If so, what happens if they are compromised and the attackers get access to your website
Question #4 – Are there regulations that your business must comply with? Like PCI, HIPAA, GLBA, GDPR, or CCPA?
Because of the numerous breaches recently, cybersecurity is getting a lot more attention.
This means more and more states are passing regulations dealing with specific areas of security and privacy.
It is important that you take this into consideration while developing your own small business cybersecurity plan.
Adding compliance to your security program could completely change your approach.
Here’s a tool we’ve put together to help you figure out whether you need to be compliant with any regulations.
Because of the ramifications of security incidents, you should definitely get legal counsel to help you definitely answer whether you must comply with specific regulations.
Tip: You must understand that no company can go from having no security to 100% secure overnight. It’s a process. So, prioritize the greatest risks to your company, address them, and focus efforts and funding on other security threats later.
Step 2: Identify Your Risks
Do you know how to make sure that your small business cybersecurity plan is focused on the right areas?
And how to be sure you can demonstrate that you are prioritizing correctly.
Take a risk-based approach.
Once you have a clear understanding of your organization, you can move on to the next phase in your small business cybersecurity plan – a risk assessment.
Here are a few reasons that you understand risk early in your security program:
Cybersecurity Plan Budgeting
One of the biggest challenges that small and mid-sized organizations face around cybersecurity is budget challenges.
Over 50% of IT staff claim that budget is one of the limiting factors of their security program.
Security tools and trained staff are quite expensive.
This is why most organizations have to build out their security program in phases.
Knowing the weaknesses that are the most risky allows you to set priorities in your cybersecurity plan.
Complete security is impossible
Here’s the unfortunate reality regarding cybersecurity:
There is no such thing as unhackable.
Every security control can be defeated by someone with the right determination and resources.
This is why layered defense is important.
Provide enough deterrents that an attacker will give up.
So, since you can’t fix every security vulnerability in your organization, it isimportant to identify the most risky ones and resolve them.
Now, let’s talk about the steps you should follow to identify risks within your organization.
Phases for small business risk assessments
When you conduct a risk assessment, don’t take an arbitrary approach.
Instead, follow a repeatable process that any subsequent assessments can follow and get the same results.
If you reference the NIST guide for conducting risk assessments, the phases go like this:
Phase 1 – Determine the threats to your small business
Identifying your threats means exploring the types of attacks an attacker could conduct against you.
There are literally hundreds of them, but you will need to narrow down to those you will explore in your risk assessment.
I recommend that you take a look at the threat dictionary inside of NIST’s risk assessment guidance to get started.
There are a over a hundred threat events.
Another great list to check out is the MITRE ATT&CK framework.
Phase 2 – Identify vulnerabilities within your organization
Identifying vulnerabilities is a very important part of the risk assessment process.
In fact, many times, it is necessary to conduct a vulnerability assessment alongside a risk assessment so that you can have accurate vulnerability information.
This is one part of your small business cybersecurity plan that you should definitely seek outside assistance for.
The tools needed for identifying vulnerabilities are quite expensive.
In addition to the cost, knowledge is required – running a scan isn’t enough.
You need to know how to interpret the results from the tools and still look out for other flaws that could be potential vulnerabilities.
For example, a vulnerability scanning tool won’t find that the door to the server closet is always unlocked.
Quite a risk, right?
If you do still plan to handle the vulnerability assessment internally, here are some tips on tools: Nessus, OpenVAS, Burp Suite Pro, SolarWinds Network Configuration Monitor.
Phase 3 – Determine the likelihood of occurrence
Once you have identified potential threats and vulnerabilities within your organization, it’s time to identify the likelihood that the threat incidents will occur and cause harm.
This phase is definitely a little bit trickier than the previous.
The overall likelihood of a threat event actually depends on a few things:
First, the likelihood the event will happen.
Second, the likelihood that the event happening will have a negative impact.
You need to think about these separately before finding a way to “merge” them.
NIST guidance provides a few methods.
Here’s what you do:
Take your list of threat events and determine the likelihood the event will happen.
Next, use the same threat events and figure out if the event happening will have a negative affect on your organization and how much.
Then, you need to combine these.
Typically, you would use a weighted average system.
The more damage an event would cause, the more likely you would perceive it to be.
Phase 4 – How much impact would the event have?
I know it probably seems like we just discussed this, but you have to think about these two items in two completely different lights.
When you used the impact to help you weight the likelihood, you were approaching this from a general perspective.
Now,you should think about this from the perspective of the capabilities of your opponents, the vulnerabilities in your organization and the capabilities of any controls you already have in place or plan to implement shortly.
Hopefully, you’re not confused.
Let’s break this down.
Take the threat of installing general purpose sniffers on devices within your organization.
In the previous steps, you have identified that your attackers are highly skilled and determined because of your industry.
Then, you determined that the likelihood of this event is medium since you have controls in place that prevent
Phase 5 – Calculate the risk
Figuring out the overall risk of a security threat is actually pretty simple.
If you have taken the time to accurately determine the likelihood of occurrence and potential vulnerabilities, you have done the majority of the work.
Next, you need to calculate the overall risk.
To do so, use the risk chart provided by NIST.
Find the intersection of the determined level of impact and likelihood.
This will give you the overall risk that you can use for reporting and decision making.
Step 3: Implement Basic Security Controls
Now that you understand the risks that your small business faces, you can begin implementing appropriate cybersecurity controls.
The first tier of controls that we will discuss are basic security controls.
Let’s look at some specific controls.
Inventory & Patch Management
This should be one of the first things that you do for your security program.
Keeping an inventory of the software installed on your company’s devices allows you to know what is installed and to be sure that all apps, computers, and other systems are updated and patched to the latest versions.
Un-patched devices and apps are open doors for attackers.
In addition to tracking the software you have installed, you need to track what hardware is on or joins your network.
Insider Tip: Routers, switches, cameras, and electronic devices often are overlooked for patching. Know that these devices periodically get firmware updates. Without applying these updates, you risk your devices being targeted by attackers.
Internet Access Constraints
Depending on your business, you should try to limit access to the internet.
If you use a point-of-sale terminal computer, for example, your employees should not be browsing the internet on that device.
Should the device be compromised, you are risking the confidentiality of all of your customer credit card information.
One simple solution that some small businesses find affordable is using a dedicated Chromebook for accessing payroll and accounting systems.
Chromebooks use a containerized approach.
Each browser tab is completely segmented from the others – much better for security.
In short, if a device is not a user’s computer, internet access should be limited.
Backups are extremely important and a must-have for pretty much every small business cybersecurity program.
This is especially important in the event that you are the victim of a ransomware attack – an attack in which your computer is locked with malware and you must pay to regain access.
Insider Tip: Make sure that you have at least one backup located offsite. This way if an attacker gains access to your network, they aren’t able to destroy your backups. If possible password protect all of your backups as well.
Security Awareness Training
You must educate your employees about cyber threats!
Employees who are not trained to beware of cyber threats dramatically increase the risk that your small business will be the victim of an attack.
It is important that everyone in your business develop a “culture of security” – that is a mindset in which they are always aware of attack vectors such as suspicious emails and actively avoid falling prey.
There are many security awareness solutions that include training videos and simulated phishing tests.
Enable multi-factor authentication (MFA) wherever possible.
It’s a completely free security control that is highly effective for the average small business’s security.
There are a variety of MFA techniques, but the two most common are texts and authentication code apps.
In both cases, you get a six-digit code that you must enter after you log in to an account.
This is a great additional layer of security in case your login credentials are compromised.
Computer Access Control
This is another security control that small businesses overlook but can be very effective.
There are two main types of accounts on your computer – regular users and administrators.
Regular users cannot install software and make certain configuration changes without entering administrative credentials.
When a regular user is browsing the internet and accidentally visits a malicious website, when the payload tries to run on their system, it won’t be able.
For this reason, I usually tell everyone to work in the regular user account on their computer.
Then when they need to install additional software or make a configuration change, they can simply input the credentials when prompted.
Having a properly configured and maintained firewall is a vital component of every small business cybersecurity plan.
A properly configured firewall (or Unified Threat Management Device – UTM) can do a lot in limiting who can access your business network from the outside.
They can also restrict outbound traffic and network segmentation.
You should also enable and configure the firewalls on each endpoint you use – computers and servers.
Vulnerability Scanning & Health Checks
A vulnerability scan is a test of your network looking for vulnerabilities that an attacker could exploit.
Most organizations should conduct vulnerability scans at least once per quarter.
Reducing vulnerabilities means reducing the likelihood an attacker can gain access to your network.
Criminals regularly perform vulnerability scans of your business network, so get ahead of them.
Antivirus Software & Endpoint Protection
You should install and use endpoint protection on all computing devices on your network.
In the bygone times of information security, you could just install anti-virus protection on your computers and be protected.
Don’t get me wrong.
It’s still a very important security control; it’s just not the end-all solution anymore.
When selecting an anti-virus or endpoint protection solution, look for one that looks at behavior rather than just signature.
Solutions using the out-dated signature-based method miss many modern attack methods.
Email Security Gateway
Email is one of the easiest ways for attackers to attack your network.
A security gateway will check incoming and outgoing emails for viruses, malware, spam before they arrive at your inbox.
This is a great way to reduce cybersecurity threats from reaching your business.
Virtual Private Network (VPN)
VPNs ensure that anyone on the same network as the VPN user is unable to view or access the data being sent (like passwords).
This is an especially important cybersecurity control for small businesses, especially when employees travel or work from home frequently.
Step 4: Advanced Security Controls
If your small business has the basic cybersecurity controls covered, there are still a few things you can do to improve defenses.
Implementing these advanced security controls is pointless if you don’t have the basics covered.
But if you do, and you’re ready to take your security maturity to the next level, you should look into these advanced controls.
Let’s look at a few that can really boost your company’s security posture:
Vendor Security & Compliance
Your vendors and suppliers can be a bigger cybersecurity risk than you may realize.
Especially if you work in the healthcare space.
For organizations that must comply with PCI and HIPAA, selecting vendors that are compliant is a must.
You should conduct due diligence questioning and investigations before partnering with a new organization.
Adding compliance requirements to your contracts is a great additional step to mitigate liability.
Most apps and programs have internal logging – i.e. they write logs locally to your computer.
The logs include information about how the app is behaving or the errors they encounter.
These logs can also be invaluable for detecting and investigating cyber incidents.
Collecting these logs can take a lot of storage and attackers often try to remove them when covering their tracks.
Having a cloud-based collection and analysis software (SIEM) can help your business detect attacks earlier.
You should definitely include this control in your small business cybersecurity plan.
After you have all of the basic cybersecurity controls covered, you may want to hire an organization to attempt to attack your company.
This will give you an idea of when cracks you have left and how an attacker could use them.
The report will also usually include suggestions for how to better protect your business.
Note: Penetration tests are required by some compliance regulations. However, they can be expensive and are really only of value for businesses with fairly mature security programs.
Here’s what you have to understand about browsing the internet:
Visiting infected or malicious websites is often one of the main attack vectors that criminals use.
Because of this, it only makes sense for you to whitelist the sites your company uses for operations.
Note: Whitelisting means allowing certain items, and blocking all others.
Then, employees can’t visit any other sites, drastically reducing the risk to your organization.
Data Loss Prevention
DLP tools help in preventing sensitive information from leaving your organization.
Step 5: Monitoring and Auditing
Monitoring and auditing your cybersecurity program is one of the most important things you can do.
“Set and forget” absolutely doesn’t work when it comes to cybersecurity.
Let’s talk about methods to ensure attackers don’t have a hey day in your environment.
Establish a security baseline
The first thing that you need to do to begin monitoring your systems for suspicious behavior is to establish a baseline of normal activity.
You’ll want to know what normal activity on your network is when you’re trying to investigate something that you think is abnormal.
Here’s what I mean:
Look at the beacon-like nature of the traffic in the image.
At a first glance, this could appear to be an attacker’s command and control activity.
But if you know that an application on your network regularly reaches on to a cloud server for uptime monitoring, you can rule out this particular traffic as being that of an attacker.
Here are some actions that you can take to create a baseline of network activity.
Figure out the IP addresses allowed to access your network
There are many ways that you can do this.
One simple way is to use WireShark.
Simply run a packet capture for 24 – 48 hours (or longer if you want more data).
Then, in the statistics tab, you can view IPv4 statistics.
Or, you can look at conversation statistics to see which IPs talk with each other.
This can be a very useful data set.
If you see devices communicating that never have previously, that could be a sign of trouble.
Understand network traffic patterns
The next thing you’ll want to understand is network traffic patterns.
For example, you may have a server that receives and sends a lot of traffic.
If there is a sudden and prolonged spike or decrease in traffic, that could be a sign that you should investigate further.
Security Information and Event Management (SIEM) is a common security monitoring solution.
A SIEM collects data from other devices in your environment so you can perform correlation and analysis.
The goal of a SIEM is to proactively identify security events that should receive further investigation.
Implementing a SIEM is probably an item to include in your small business cybersecurity plan.
If you don’t have the skillset in your organization to manage it, you can outsource it for a reasonable price.
Auditing should be part of every small business cybersecurity plan – no matter how big or small your organization.
Somehow, the term audit has a bad connotation for a lot of people.
Yet it’s something you should be doing regularly; audits don’t have to be scary.
For example, you can regularly conduct an audit to ensure that all users have logged out of their computers before they left for the day.
Wait until everyone leaves and walk around the office.
Take note of anyone that has not, or if everyone performed well, write that down.
You will have completed an audit.
A key is to document these audits.
That way if you ever need to prove you are taking security seriously you can.
Third party audits
Of course, third party audits are very useful as well.
Humans are prone to groupthink.
We get accustomed to something and can miss important indicators of problems.
Or if we relate this to cybersecurity, it’s easy to be so busy with day to day tasks that you don’t have time to “pull threads” in your organization.
Third party auditors come with a different view of your environment and can oftentimes spot things you don’t see.
For example, I was once part of an audit and the auditor suggested that instead of sending attachments in emails, the organization could send links to the file locations.
He correctly pointed out that this action could cut a lot of storage necessary on email servers.
I hadn’t thought of that before – he was right.
Once you have the basic security controls in your cybersecurity plan implemented, it’s a good idea to begin thinking about having a third party audit.
Step 6: Incident Response Planning
Did Grandma ever tell you that you should set some money aside in case it “rains”?
When it comes to cybersecurity, it sometimes “rains.”
Businesses have security incidents daily.
What really determines the impact of a security incident at your organization is how prepared you are to handle them.
Let’s talk about incident response plans:
No matter how hard you work to secure your organization or how vigilent your employees are, your company is likely to face a cyber incident at some point.
How your company survives can depend on how well you have planned your response to the incident — your incident response plan.
An incident response plan is basically a plan for what to do if your business is breached.
How you choose to respond to each incident will depend on what happens.
If all of your computers are locked up by ransomware, for example, you may have different options to choose from if you have a backup in place vs if you didn’t.
If your customers’ credit card details are stolen, your incident response plan will guide you regarding who to notify and actions necessary to resolve the breach.
To speed recovery, even more, it helps to have prepared flowcharts and contact lists.
In the end, it is important that you have a conversation about these things before an emergency arises.
Ever heard the saying: an ounce of prevention is worth a pound of cure
Definitely the case here.
Create and rehearse your incident response plan now; you never know when you will need to use it.
Cybersecurity for Small Business References
The U.S. NIST Small Business Act was passed as law in August 2018.
It provides cybersecurity resources to SMBs to help them protect themselves against cyber attacks.
UK Cyber Essentials
The UK Cyber Essentials is a government information assurance scheme that encourages organizations to adopt good practices in information technology
The 20 security controls by the Center for Internet Security is a great framework for any organization looking to improve their security posture.
Controls are divided into 3 tiers based on security maturity.
Cybersecurity Tools For Small Businesses
Wizer training is a relatively new security awareness solution.
There are plenty of solutions that you can use for educating, but there are a few things about Wizer that – in my opinion – make it a perfect solution for SMBs.
First of all, there is a completely free tier that you can use to begin educating your employees.
Second, the videos are all less than 90 seconds long.
This is perfect for SMBs where everyone is already overworked.
Canary tokens is a pretty unique small business cybersecurity tool that you can use as a trip wire in your security program.
There are multiple file types you can use – word docs, PDFs, web links, and more.
With the word docs, for example, you can create a word document and choose an email that you want to alert when it is opened.
The site will give you the file to download (or configuration if you’re using VPN).
You can then place that file on your own system.
Anytime someone opens it, you will get an email.
Security Onion is actually a Linux distribution.
It includes many very useful security tools all in one place.
The tools include: Kibana, Zeek, Snort, LogStash, NetworkMiner, and others.
The distro was developed for threat hunting.
BitLocker is an encryption tool that comes with Windows by default.
You can use it to encrypt hard drives, external drives, folders, and files.
Encryption can prevent a lot of attacks.
Qualys is an cloud-based asset management solution that you can use for tracking the software and configuration of your assets.
It is agent-based.
When you deploy a new device, you install the Qualys agent.
It will monitor the device and provide data about them – network information, installed software, vulnerabilities, and more.
Zeek is an open source network security monitoring framework.
You can capture network traffic and analyze it with Zeek to identify potential threats within your environment.
You should note that this is a reactive approach not preventative.
Now It’s Your Turn
So that’s our organized plan for cybersecurity for small businesses.
Now I want to turn it over to you: Which of the controls from today’s guide are you going to implement first?
Or do you have a recommendation for a tool that we overlooked?
Let me know by leaving a a quick comment below right now.