Creating a Small Business Cybersecurity Program


One of the goals of this book is to enable non-technical business owners and their employees to define and implement a workable cybersecurity program that fits within the current culture of your small business. Information technology should be a business enabler and cybersecurity should support the technology infrastructure and protect information assets, as an enabler of business risk management.

Chapter 1: The Objective is Cyber Resilience

We will be looking at this topic from three perspectives. The first is security against cyber-attacks. The second is a legal requirement for businesses to protect their data and their customers’ data, as mandated by regulations for different industry sectors. The third perspective is looking at cybersecurity for emergency management planning.

Chapter 2: Applying a Cybersecurity Risk Perspective to Your Business

Your business goals and objectives may be to produce a minimum number of widgets per year, or to have the highest customer satisfaction rating in your industry sector among regional competitors, or to achieve a minimum level of monthly revenue. In evaluating the risk levels and impacts on the business, if you are not able to achieve a certain goal or objective, a cyber risk may have the same impact as a natural disaster (flood, earthquake, fire, or tornado), because the resulting impact to the business is the same.

Chapter 3: Cybersecurity Risk Assessment Methodology

Using a standard methodology over time provides consistency in the manner assessments are conducted and provides direct comparisons with prior assessments. A standardized methodology will provide a series of steps to follow. It usually starts with planning and preparation, then conducting the assessment, and performing necessary analyses. It concludes with summarizing the results and identifying actions to be taken to lower overall risk.

Chapter 4: The Elements of a Small Business Cybersecurity Program

The intent of this chapter is to make it easy for non-technical owners or managers to incorporate these documents into an existing business plan. This chapter focuses on the documents encompassing governance and related policies and procedures. Several technical processes that can be automated during implementation will be covered in Section 5. The specific components from each category will vary from business to business, just as there are differences between a small restaurant, a dry cleaner, or an automotive repair shop.

Chapter 5: Cybersecurity Lifecycles – Processes not Destinations

The security functions lifecycle can be applied to individual assets or control measures, groups of assets or control measures, and overall assets and security measures. It’s often easier to keep the groupings small – maybe ten related assets – to make the process more manageable.

Chapter 6: Incorporating Privacy Requirements into Cybersecurity

In the same way that cybersecurity measures should enable secure business operations; they should also enable consumer privacy through secure data management. Do you, as a small business, need to be concerned about consumer privacy rights, even if there might be an exception in one of the laws? Yes, you should be concerned about the personal information you collect from customers since that data will make you a target for cybercriminals.

Chapter 7: The Small Business Cybersecurity Strategy

Depending on your particular small business and the skill sets of your employees and their involvement with designing processes and procedures, it might be beneficial to create employee teams to work on creating draft versions of certain sections of the strategy and program documents. For example, one team might develop the cybersecurity awareness and training program, while another team works on the BC/DR plans, and a third team creates the incident response procedures. It will be an important factor in the successful implementation of the cybersecurity program to have employee acceptance and support.

Chapter 8: Defining the Strategy, Policy, and Standards

The cybersecurity program includes people (roles and responsibilities), processes (policies, procedures, standards, and guidelines), and technologies (security controls), aligned with and supporting business operations and functions.

Chapter 9: Building Your Plan and Selecting Your Controls

Using an “All Hazards” perspective for emergency management planning, you should include known cyber risks along with other natural or man-made disasters. The risks and respective actions to be taken should be part of the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).

Chapter 10: The Key CIS Sub-Controls for Small Businesses

Now comes the hard work – putting into practice the security policies and procedures you created. This section of the chapter will help you implement simple control measures that are primarily procedural and take little if any technical knowledge or expertise.

Chapter 11: Implementing Administrative and Configuration Controls

Now that you have created a basic foundation for cybersecurity through your governance program and implementing some of the key Sub-Controls in Chapter 12, we can continue with more detailed instructions. You will find duplication of some Sub-Controls in this section because we will be automating several tasks that were implemented manually in the previous chapter.

Chapter 12: Implementing User Controls and Training

Social engineering is one of the most common tactics used in cyber-attacks. Tricking a person into revealing login credentials or releasing other sensitive information is easier than trying to forcefully hack into a computer system. Social engineering consists of criminals using various combinations of tactics, techniques, and methods.

Chapter 13: Implementing Incident and Breach Controls

You should have one primary point of contact who will be in charge of managing incident response. Also, designate an alternate person, in case the primary person is not available or able to perform the necessary duties. These should ideally be management-level employees who provide guidance to other staff who are performing the necessary response tasks.

Appendix C: Incorporating Cybersecurity Risks into a Business Risk Management Plan

From a broad perspective, there are two main categories of risk – internal and external. Internal risk factors are those over which a company has more control. These include financial risk, workforce risk, operational risk, and most cybersecurity risk. External risk factors are generally outside of the control of a business, requiring more of a reactionary stance. For example, these might include regulatory compliance, environmental conditions, national and global economics, availability of raw materials, and certain internet cybersecurity risks.