Effective CyberSec for Small & Medium sized businesses
It has never been so important for businesses to have an effective cyber security program but if you are a new company, with less than 500 employees, this can prove to be an extremely daunting task and can appear to be extremely resource and cost intensive.
How do you create the right balance from your organisation?
Employing a fulltime and experienced Cyber Security specialist can often cause an imbalance of the business equilibrium. Whilst on the other hand, no doing enough to defend your business from opportunist cyber criminals as resulted in a surge of Small to Medium sized Businesses (SMBs) becoming easy targets:
Many SMB leaders understand the need to harden their critical systems and processes and are aware that the potential impact of compromised systems or customer/employee confidential data could have a significant detriment on their business:
Unavailability of systems (e.g. Systems outages, Ransomware attack, Distributed Denial of Service (DDoS), etc.).
Data breach (e.g. Reputation impact, Customer distrust, Regulatory fines, etc.).
However, maintaining safe and secure business operations can be extremely difficult and expensive to achieve. Much like maintaining a safe motor vehicle, there are complexities that could be out of reach for most. However, much like vehicle maintenance there are some jobs that can be achieved without having to be a certified and experienced mechanic.
You just need to know where to start!
Much like the Haynes Manual, Canada's Baseline Security Controls provides businesses with a catalogue of foundational controls, which are categorised as:
Whether you are a SMB or mature larger organisation, the decision as to whether you should implement effective security defences should always be driven around the potential risk to your business.
Consequently, it makes sense to ensure that these foundational controls have been effectively defend your organisation from external attacks.
No matter where your business is within the world, or the size of your organisation, you should familiar with these types of foundational controls and periodically evaluating, and reporting on, the effectiveness of these controls.
Implementation of these baseline controls can be easier to achieve, through the use of my methodical project-based approach (aka. PIE FARM):
Phase 1 will help you to understand what risks you are facing and to research the security tools, training and outsourcing options you might wish to consider and to allocate roles and responsibilities to individuals/teams.
Remember, that the chosen options should be comparable with the identified levels of risk, to ensure that the business owners understand, appreciate and accept the levels of risk.
Whilst your website may not be involved with your customers' personal data or payment card data, it is still your shop window which presents a potential for cause damage to your brand/reputation (Digital Graffiti).
Consequently, you should be seeking to include periodic website vulnerability assessments, to ensure that you can quickly identify potential exploits and remediate them, before an opportunist hacker uses them against you.
Phase 2 enables you to measure and mature the effectiveness of these defensive controls.
The PIE FARM model should yield SMART (Specific, Measurable, Achievable, Realistic & Time-bound) outputs and is designed to continue on a circular/repeatable basis (e.g. 12 month cycles). Each cycle commences with the planning & preparation, which should incorporate a risk analysis step:
Threat X Vulnerability X Impact
If you need additional Cyber Security specialist assistance, the PIE FARM model enables you to schedule external consultancy support at dedicated checkpoints, as per your needs.
Initial consultancy advice - Step 1: Plan & Prepare.
Project workshop - End of step 3 (before entering the Fixing step): Engage, Explain & Evaluate.
Assessment validation - End of step 5: Assess.
All the rest can be internally project managed, dependent on the capabilities of the project team.
Being a foundational control layer, not only enhances your organisations defences but also provides you with a great platform on which to build further defensive postures, which can be modelled to provide an integrated approach :
Improving an SMBs security posture does not need to be something to be feared, or something that can only be achieved by having a fulltime/dedicated, and the Canadian BSCs provide businesses with a great starting point for enhancing their Cyber defences.
At a minimum, your organisation should be reporting back (monthly metrics) to the key decision-makers the status of the BSCs, so that informed risk decisions can be made and to provide suitable assurance (to the key stakeholders) that the external-facing defences are being effectively maintained.
Additionally, for Canadian businesses, there is the added benefit of being able to have their BSC program validated so that they can provide extra assurances to their customers.
Why wouldn't you?