Cybersecurity for Small-to-Midsize Businesses: Where to Begin?
When it comes to cybersecurity, there is no shortage of information, tips and guidance for small-to-midsize businesses (SMBs). So much information, that no SMB owner or executive could possibly read, digest and evaluate all of it, or even a big chunk of it. The Federal government alone publishes materials through at least four separate agencies: DHS, FTC, NIST and SBA. State and local governments, the private sector and even international NGOs publish additional guidance.
For SMBs that have that nagging sense they should be doing something about cybersecurity (or more generally, information security), but don’t know where to begin, let me suggest three free publicly available resources:
1. The FTC’s “Start With Security.” The Federal Trade Commission generated this 20-page guide based on decades of experience bringing enforcement actions against, and negotiating settlements with, numerous private companies in myriad industries. It is organized into ten broad topics and written in an accessible, informative style. The report introduces concepts (e.g., “Don’t collect personal information you don’t need.”), not action items, so it should be read as a series of starting points for an SMB to develop its own robust cybersecurity plan.
2. NIST’s “Small Business Cybersecurity: The Essentials.” The National Institute for Standards and Technology’s 54-page guidance, written specifically for SMBs, begins with an introduction to cybersecurity risk management and risk assessment. It continues with a four-step process (identify your what your business stores and uses; determine the value of your information; develop an inventory; and understand your threats and vulnerabilities). It also provides SMBs with sample risk management policies and procedures, and a methodology to generate a comprehensive, if basic, risk management program. It also provides a gateway into NIST’s Cybersecurity Framework, the gold-standard of cybersecurity compliance for critical infrastructure and other businesses for whom cybersecurity a top priority.
3. GCA’s Cybersecurity Toolkit for Small Business. The Global Cyber Alliance is an international NGO founded by the City of London Police, the District Attorney for New York County and the non-profit Center for Internet Security. Its Toolkit offers resources grouped around six topics (e.g., “Know What You Have”) and perhaps uniquely, includes free, downloadable software applications. The tools provided are meant to support SMB compliance with the CIS’ “Controls.” GCA boasts that, merely by adopting the first five CIS Controls, an SMB can reduce its risk of cyber-attack by 85%.
Attaining good cybersecurity posture for your business can be daunting, but these resources make the task manageable by breaking it down into bite-size pieces.