The Essential Guide to Cybersecurity for SMBs: Section 4 – What Does a Cyber-resilient Business Look Like?

Resiliency is not just for large organizations. SMBs should incorporate resiliency principles as a means of reducing risk. As a community, we continuously hear that all companies are experiencing a rise in the threats and attacks they face and that there are new evolving threats are out there waiting to strike. I don’t believe in fear-mongering; however, keeping this sense of urgency in mind, I think it’s essential for the security managers of SMBs to understand what resiliency looks like, how it can fit into their security program’s strategic plan, and how it will change an SMBs security budget. As the security manager and company start to contemplate what processes may require resiliency, don’t forget that it is also important to include methods for measuring high levels of resiliency. The end goal is to effectively blend resiliency into critical business operations and develop metrics that the SMB’s security manager can use to measure what level of resiliency equates to measurable business value, justifying the expenditure of security department resources.

The dictionary definition of resilience is the “capacity to recover quickly from difficulties.” In cybersecurity, the definition of resiliency is focused on how organizations recover from an incident that incorporates multiple domains such as cybersecurity, business continuity, disaster recovery, and organizational operations. The objective of cyber resiliency is for the SMB to be able to adapt and continue delivering services to its customers while the event is ongoing and being addressed by their security manager and team. Additionally, the business operations domain should include processes to restore standard business services after the incident occurs.

The Essential Guide to Cybersecurity for SMBs: Section 5 – An MSP’s View on SMB Risk

In Chapter 18, I discussed the considerations SMBs and their security managers should consider when they select a managed service provider (MSP) or a managed security services provider (MSSP) for external technology and security services. However, there is also another view to consider, and that is the view of the MSP itself. It is this perspective that I find interesting because each potential SMB client is unique, with technology, processes, compliance, and data requirements that can range from easy-to-manage to extensive and complex. This chapter will be a discussion between myself and an MSP about various SMB risks and how they might manage them. I want this chapter to provide SMBs and their security managers with a window into how they may be evaluated for critical services when working with potential MSP partners. I am providing this resource to you, security manager, not only to help you understand how your company is evaluated, but to help you in your professional growth as a security executive. It is good to have multiple viewpoints on business risk. With this information you can help your company negotiate a compromise when there are issues with an MSP vendor, and as the senior security leader you will be dealing with issues.

As we begin, I want to state I am not currently nor have I ever managed an MSP; however, in my previous roles I have worked with and advised many of them. It’s that experience, plus my 20 years in technology and security, evaluating the risk exposure of my organization and their strategic business operations, that provide the insight for this chapter. Please note as we begin the issues that follow are not all-inclusive. They are just issues I have seen MSPs review when selecting new clients based on the client’s current technologies, the industries they compete in, and finally, their ongoing business practices. For each issue, I shall discuss what concerns me, and hopefully that dialogue can assist actual MSPs in making better-informed decisions, and SMBs in maturing their business practices.

Some potential risks I believe an MSP would screen for are as follows…

The Essential Guide to Cybersecurity for SMBs: Section 6 – Building Your Cybersecurity Strategic Plan

Technology changes at a rate most businesses can’t keep pace with, and this lag introduces considerable risk to a company’s business operations. To manage this risk, many security leaders must wade into an ever-changing, turbulent network landscape and seek to establish some order through their selected security frameworks and controls. These security leaders also apply best-practice approaches to this diverse risk portfolio using traditional concepts such as zero-trust and layered security technologies and services.

I believe this approach needs to change, especially for SMBs. This approach was created for centralized, managed networks that many of us in security first started our careers with years ago. Today’s networks typically don’t have fully defined perimeters. They are designed for the mobile worker and geo-dispersed teams with numerous third-party connections to vendors and trusted partners. It’s these new network infrastructures that exist in the cloud, in shared data centers, and on mobile devices that force SMBs and their security managers to reevaluate plans for how to implement and manage the business’s cybersecurity program without impeding new business opportunities.

Strategic plans, in essence, are cybersecurity roadmaps that establish the pathways a security manager will follow to mature their risk management approach while protecting their company. These plans should describe how the security program will preserve and share information, counter new and evolving threats, and support the integration of cybersecurity as a best practice for everyday business operations. A strategic plan should note the “current state” of security practices and describe near-term objectives to be addressed in the next 12 months, midterm goals in the next 18-24 months, and long-term objectives over the next 36 months. The security manager and critical stakeholders usually develop this plan and it should be considered a living document. The vision, goals, and objectives of this plan should be reviewed at least annually by the security manager and the SMB’s executive leadership team, with changes incorporated and new initiatives scheduled accordingly.  

To begin, security managers must understand the current security state of their SMB. This effort will require an inventory and continuous scanning of assets such as hardware, software, network configurations, policies, security controls, prior audit findings, etc.

 

Bring Your Own Cyber

Section 1: Securing Your Business

Chapter 1 – Lock the Doors

The first step is to control access to the business. Gangs and organized crime have moved into cybercrime and their first step is to “case the joint.” Lock the door, lock the closet where you keep the servers and lock the registers.

Chapter 2 – Cyber Awareness

Next we move on to some basic cyber awareness. We describe phishing, proper cyber-hygiene at the high-level and discuss industries (those that take credit cards, those that provide healthcare services) that have specific rules.

Chapter 3 – Protecting Your Network

We keep it simple and talk about Anti-virus/Anti-Malware software, network, routers and firewalls, WiFi basics, VPNs, and performing regular updates.

Chapter 4 – Updates and Backups

Taking regular backups is a critical step that requires its own chapter. We address onsite and offsite and what the objectives are with backups – to protect you from mistakes, to protect you from losing files due to server or disk failure, and to protect you from ransomware.

Chapter 5 – Access Management and Strong Passwords

Next we tackle three more technical issues. We start with access, and talk about specific access by function, giving access to employees that is not all powerful and knowing when and how to use virtual private networks (VPNs) and multi-factor authentication (MFA).

Section 2: Securing Your Brand

Chapter 6 – Web and Social Media Security

The small business owner’s web presence has changed a lot over the years. We’ll discuss the basic procedures that are needed, such as updating regularly, checking emails or other customer interaction and paying for the key protections that their hosting companies offer. Social media is more than just Facebook and Twitter. We talk about the key services, including those two and Instagram and listing sites, such as Yelp! and Google. We also talk about messaging, social profiles, and behavior. Given that there are so many platforms for ratings and listings, we suggest ways of searching for your business online and the importance of managing your online reputation.

Chapter 7 – Data Privacy

In this chapter we discuss the requirements that small businesses have for handling credit card data and medical records. This high-level, explains basic duties and training for staff and provide some resources for PCI (for merchants) and HIPAA (for sole-practitioner and small doctor offices).

Chapter 8 – Cyber Insurance

This is a great time to talk about the insurance policy, what you should look for, what it covers and what it doesn’t and how to work with carriers to be an acceptable customer. Verifying riders and terms and conditions.

Chapter 9 – Be Ready

The last chapter is devoted to what the reader should do once they have finished this book.

Welcome to CISO DRG

Welcome to the CISO DRG site. We’ve built this site to showcase the authors who contribute to the CISO Desk Reference Guide catalog, provide information about the books in our catalog so you can determine which books will best help you on your journey, highlight the compelling cybersecurity issues that we feel need discussion, and have an ongoing dialog among the cybersecurity community.

Over the next few months, we’ll be publishing several more books (look for the coming soon banner for the books in each of our series), as well as launching a regular blog and a newsletter to stay in touch with you. We’re working now on the plumbing to allow for moderated dialog. Our goal is to create a hub for cybersecurity professionals, whether it is to dialog with the authors or each other. And hopefully, we’ll have a little fun along the way.

With Warm Regards,
Gary, Matt & Bill