Creating a Small Business Cybersecurity Program
This book in the CISO Desk Reference Guides® small business series is targeted toward businesses with 25 to 500 employees and limited or no technology or security staff. It provides non-technical, practical, step-by-step instructions for small business owners who need to create a cybersecurity program. The methodology is appropriate for any industry sector and customizable for the size of the business. Topics include:
♦ Incorporating a cybersecurity strategy with a business plan
♦ Incorporating cyber risk into a business risk management plan
♦ Selecting a cyber risk management methodology
♦ Introducing the cybersecurity program lifecycle
♦ Integrating privacy requirements into a cybersecurity program
♦ Ten simple steps to develop a cybersecurity program
♦ Next steps for getting started with implementing security measures
This book includes digital templates and checklists to assist the small business owner in conducting internal assessments and creating the necessary documents. Links to these online documents are given in an Appendix and provided below for your convenience.
One of the goals of this book is to enable non-technical business owners and their employees to define and implement a workable cybersecurity program that fits within the current culture of your small business. Information technology should be a business enabler and cybersecurity should support the technology infrastructure and protect information assets, as an enabler of business risk management.
Chapter 1: The Objective is Cyber Resilience
We will be looking at this topic from three perspectives. The first is security against cyber-attacks. The second is a legal requirement for businesses to protect their data and their customers’ data, as mandated by regulations for different industry sectors. The third perspective is looking at cybersecurity for emergency management planning.
Chapter 2: What You Need to Succeed
So, did we just dream up a series of recommendations from scratch, hoping they sound logical and inexpensive? By no means! We have based the content of this book and recommendations on well-known, national and international standards, and business best practices that have been used and recommended by other experts for many years, plus over twenty years of personal experience. We are attempting to bring together in one place, all the information you need for your small business to be successful in regards to cybersecurity.
Chapter 3: Applying a Cybersecurity Risk Perspective to Your Business
Your business goals and objectives may be to produce a minimum number of widgets per year, or to have the highest customer satisfaction rating in your industry sector among regional competitors, or to achieve a minimum level of monthly revenue. In evaluating the risk levels and impacts on the business, if you are not able to achieve a certain goal or objective, a cyber risk may have the same impact as a natural disaster (flood, earthquake, fire, or tornado), because the resulting impact to the business is the same.
Chapter 4: Cybersecurity Risk Assessment Methodology
Using a standard methodology over time provides consistency in the manner assessments are conducted and provides direct comparisons with prior assessments. A standardized methodology will provide a series of steps to follow. It usually starts with planning and preparation, then conducting the assessment, and performing necessary analyses. It concludes with summarizing the results and identifying actions to be taken to lower overall risk.
Chapter 5: The Elements of a Small Business Cybersecurity Program
The intent of this chapter is to make it easy for non-technical owners or managers to incorporate these documents into an existing business plan. This chapter focuses on the documents encompassing governance and related policies and procedures. Several technical processes that can be automated during implementation will be covered in Section 5. The specific components from each category will vary from business to business, just as there are differences between a small restaurant, a dry cleaner, or an automotive repair shop.
Chapter 6: Cybersecurity Lifecycles – Processes not Destinations
The security functions lifecycle can be applied to individual assets or control measures, groups of assets or control measures, and overall assets and security measures. It’s often easier to keep the groupings small – maybe ten related assets – to make the process more manageable.
Chapter 7: Incorporating Privacy Requirements into Cybersecurity
In the same way that cybersecurity measures should enable secure business operations; they should also enable consumer privacy through secure data management. Do you, as a small business, need to be concerned about consumer privacy rights, even if there might be an exception in one of the laws? Yes, you should be concerned about the personal information you collect from customers since that data will make you a target for cybercriminals.
Chapter 8: The Small Business Cybersecurity Strategy
Depending on your particular small business and the skill sets of your employees and their involvement with designing processes and procedures, it might be beneficial to create employee teams to work on creating draft versions of certain sections of the strategy and program documents. For example, one team might develop the cybersecurity awareness and training program, while another team works on the BC/DR plans, and a third team creates the incident response procedures. It will be an important factor in the successful implementation of the cybersecurity program to have employee acceptance and support.
Chapter 9: Defining the Strategy, Policy, and Standards
The cybersecurity program includes people (roles and responsibilities), processes (policies, procedures, standards, and guidelines), and technologies (security controls), aligned with and supporting business operations and functions.
Chapter 10: Building Your Plan and Selecting Your Controls
Using an “All Hazards” perspective for emergency management planning, you should include known cyber risks along with other natural or man-made disasters. The risks and respective actions to be taken should be part of the Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
Chapter 11: The Key CIS Sub-Controls for Small Businesses
Now comes the hard work – putting into practice the security policies and procedures you created. This section of the chapter will help you implement simple control measures that are primarily procedural and take little if any technical knowledge or expertise.
Chapter 12: Implementing Administrative and Configuration Controls
Now that you have created a basic foundation for cybersecurity through your governance program and implementing some of the key Sub-Controls in Chapter 12, we can continue with more detailed instructions. You will find duplication of some Sub-Controls in this section because we will be automating several tasks that were implemented manually in the previous chapter.
Chapter 13: Implementing User Controls and Training
Social engineering is one of the most common tactics used in cyber-attacks. Tricking a person into revealing login credentials or releasing other sensitive information is easier than trying to forcefully hack into a computer system. Social engineering consists of criminals using various combinations of tactics, techniques, and methods.
Chapter 14: Implementing Incident and Breach Controls
You should have one primary point of contact who will be in charge of managing incident response. Also, designate an alternate person, in case the primary person is not available or able to perform the necessary duties. These should ideally be management-level employees who provide guidance to other staff who are performing the necessary response tasks.
Appendix C: Incorporating Cybersecurity Risks into a Business Risk Management Plan
From a broad perspective, there are two main categories of risk – internal and external. Internal risk factors are those over which a company has more control. These include financial risk, workforce risk, operational risk, and most cybersecurity risk. External risk factors are generally outside of the control of a business, requiring more of a reactionary stance. For example, these might include regulatory compliance, environmental conditions, national and global economics, availability of raw materials, and certain internet cybersecurity risks.
The following supplemental materials are available to download, including basic templates for most of the governance documents described in the book. The templates are provided “AS-IS” without any warranty. These templates were last updated during July 2022.