The Cyber Readiness Institute (CRI) asked its Small Business Advisory Council, a group of 15 public and private organizations that serve SMEs in various capacities, to identify key tips to help SMEs become more secure and resilient. The Council developed the following seven fundamental cybersecurity actions. While each enterprise’s individual circumstances will dictate the specifics of its cybersecurity program, the tips below serve as guardrails toward making your organization more cyber ready.
Every organization needs to take cybersecurity as seriously as other mission-critical functions, such as operations and finance. Cybersecurity is not just an IT issue; first and foremost, it is a people issue. These seven tips apply to your organization, no matter the size.
Tip 1: Pick a Cyber Leader
It’s important to have a designated person spearhead your company’s cyber efforts. Assigning a person with authority to be your “Cyber Leader” highlights your commitment to cybersecurity and provides an additional professional — and relevant — experience for the individual. In addition to ongoing cybersecurity management, the Cyber Leader can adopt and share best practices that employees can implement and be the point person when employees have questions or when cyber incidents occur.
Tip 2: Create a cyber aware culture
Creating a culture of cyber awareness means ensuring that all employees know they play a fundamental role in your business’s cyber resiliency. You need to make sure they have the knowledge, skills, and commitment to play that role. This culture can be facilitated through education and training, but it takes leadership to create and sustain a cyber-aware culture. With a remote work environment, regularly review cyber policies with your employees and ensure they understand their role in keeping the organization “cyber-safe.” In your workplace, consider posting your Remember, culture is created through your employees having a common behavior.
Tip 3: Communicate, communicate, communicate
Awareness is built through frequent, short communications. Weekly newsletters, regular emails, posters, or screensavers can all be vital to keeping your employees aware of the dangers of cyber breaches and how to prevent them. The CRI Starter Kit has eye-catching posters to communicate important reminders to your employees. Identify what is relevant to your organization, and tailor communications accordingly. Some of our suggestions include picking a cyber theme of the month to focus on – for example, recognizing phishing attempts or using strong passwords. Many governments and organizations offer free monthly awareness newsletters that businesses can share with their employees. Examples include the State of Mississippi and SANS’ Ouch!
Tip 4: Protect the Crown Jewels
You cannot protect everything equally. You should identify which data and systems (e.g., website, email, accounting, customer information) are most important to your ongoing operation. As part of the risk assessment, think about what would happen if you lost important data or your system went down. This preparation will help you prioritize what to protect. Every organization, no matter how small, should identify the so-called “crown jewels,” and make sure security controls protecting the “jewels” are appropriate to the task. Regularly assess how well protected your most critical data and systems are and proactively take the necessary steps to improve security. CRI’s “Ransomware Playbook” offers helpful guidance on prioritizing your assets.
Tip 5: Have a plan
Having an incident response plan to direct your actions when a cyber incident occurs is vital. The incident response plan should cover preparation in case of an incident, response during the incident, and rapid recovery from the incident. It should include considerations for business continuity, data loss, and back-ups for recovery. Given that many small businesses are forced to cease operations within one year of a cyber attack, it is especially important to have a recovery plan that is communicated to all employees. Furthermore, conducting exercises or drills that test the incident response plan (known as tabletop exercises) will help employees identify their responsibilities during incidents, and allow them to act effectively and securely when (not if, unfortunately) cyber attacks happen. The most important part of preparation is having current back-ups that you have tested – especially for your most important data (aka “crown-jewels”).
Tip 6: Understand the basics
There are many technologies, activities, and services that you can focus on when it comes to securing your IT infrastructure. It is important to have someone in your organization (the Cyber Leader) who knows what questions to ask and can understand the answers. Examples include keeping a current inventory of the devices people use to connect to your network, ensuring your software is routinely updated, using multi-factor authentication (MFA) for email, online banking, and other sensitive services, using a properly configured virtual private network (VPN) for all remote access, adopting mobile device management, enforcing strong employee passphrase policies with length and complexity requirements, and automating secure storage backups. Whether your IT is in-house or you use a Managed Service Provider (MSP), it’s vital to make sure your IT is being securely managed.
Tip 7: Be compliant
Data regulations vary across industry and region. Depending on the location of your business and the locations of your customers, you may need to change the way you handle personal data or face penalties and fines. Two examples are the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the US. These regulations focus on Personally Identifiable Information (PII) (e.g., full name, social security number, email address). If you collect credit card information you should also be familiar with the Payment Card Industry (PCI) standards. Taking the time now to research security requirements to make sure you are data compliant is important and can save you a lot of time later.
Tip 8: Choose third parties carefully
When you share information with third parties, allow vendors to connect to your network, or rely on them for technical services, you often increase risk to your business. Ensure you choose third-parties carefully. Ask whether they have any security certifications or attestations, like ISO 27001, FedRAMP, or Payment Card Industry (PCI). Ask whether they are audited regularly to ensure their cybersecurity safeguards are appropriate and operating as expected (and ask to review a summary of their audit results). Include cybersecurity-related clauses in contracts, such as the third party agrees to use reasonable security precautions or comply with a set of security safeguards, to mitigate critical security vulnerabilities within a specific timeframe, and to notify you within a specific timeframe if they have a breach.
Contributing Authors
Special Thanks
- Tanya Bolden, AIAG
- Faye Francy, Auto-ISAC
- Ilene Klein, Cybercrime Support Network
- Jill Tokuda, CyberHawaii
- Walter Bran, ICC Guatemala
- Paola Quezada, ICC Guatemala
- Marc Pillon, IT Ally
- Jennifer Khoury, NCMS
- Mike Pritchard, Netchex
- Stan Stahl, SecureTheVillage
- Dawn Yankeelov, TALK
- Craig Moss, CRI
- Marion Lewis, CRI
- Lessie Longstreet, CRI
- Lyubo Hadjiyski, CRI
- Vivek Ghelani, CRI
About the Cyber Readiness Institute
The Cyber Readiness Institute is a non-profit initiative that convenes business leaders from across sectors and geographic regions to share resources and knowledge that inform the development of free cybersecurity tools for small and medium-sized enterprises (SMEs). Explore the building blocks of good cybersecurity with our Starter Kit or create a cyber readiness culture in your organization with the self-guided, online Cyber Readiness Program. Our Remote Work Resources and Hybrid Workplace Guides offer timely tips for addressing the evolving cyber challenges of today. To find out more, visit www.BeCyberReady.com.