Many small business owners are aware of the threat that cybercriminals present. The constantly evolving nature of phishing scams, malware, and ransomware attacks has made a challenging situation even more complex. The reality is that these companies often lack the technical knowledge, expertise, and a budget larger companies can access. This leaves business owners with little choice but to take a patchwork approach without adhering to any established frameworks or strategies. The result is cyber protections are often limited, not comprehensive, and rely on hardware/software to do the heavy lifting.
The threat posed by cybercriminals is disproportionately higher to small businesses. This is because of the lack of formal policy, processes, and training. In fact, it has been found that 46% of all breaches impact businesses with fewer than 1000 employees. Given the high-risk level, it is surprising to learn that 47% have no cybersecurity budget and only 17% have a cybersecurity budget. While the threat remains, the good news is there are steps these organizations can take now to lay the foundation of an effective and comprehensive cybersecurity plan. To help clients, prospects, and others, JLK Rosenberger has provided a summary of the key details below.
Elements of a Cybersecurity Plan
- Cybersecurity Risk Assessment – The first step involves conducting an assessment of the company’s assets and risks. This assessment is designed to reveal the possible cyber threats to the business and identify capabilities needed to manage such risks. Since threats can vary greatly by business type and services provided, it is important to conduct this evaluation to find the gaps and vulnerabilities in procedures. It is often useful to evaluate past attacks on the business, or others in the same industry. Beyond risk identification, it can also help companies identify and map data-based asset values. This allows for the prioritization and allocation of resources to the highest-value areas first.
- Maturity Assessment – This is designed to inventory the internal IT structure. It allows management to identify internal assets, types of data collected and stored, and steps associated with these processes. Armed with this information, it becomes easier to see the types of risks that the business may be facing. The final step is to start comparing assets and threats to controls needed to secure each. During this process, it is useful to begin investigating potential cybersecurity frameworks.
- Establish Security Goals – The results of the risk and maturity assessments mean it is time to establish security goals. These must be aligned with larger business goals. This can be a challenging step in the process and while a qualified advisor is often needed, there are some important considerations. This includes identifying the company’s maturity level, risk tolerance, and whether goals are achievable.
- Identify a Framework – Finding a framework or set of compliance standards is necessary to guide efforts. Even if a company is unable to complete all the steps, it is an extremely useful guide to meeting benchmarks. There are several popular frameworks including NIST, ISO 27001, HIPAA, and GDPR. However, not all are appropriate for small businesses. However, NIST has developed a cybersecurity framework for small companies that offers clear, practical, and useful steps to follow on the path.
- Review & Create Security Policies – The next step is to develop security policies highlighting how protection will be provided for physical and IT assets. This process can start with reviewing existing ones and then modifying as needed. For those that have never completed the process, then it should focus on key vulnerabilities and remediating security processes.
- Risk Management – In this phase, management can develop formal policies designed to provide practices and procedures to help bolster protections and outline how the company uses, stores, and protects information. Examples of policies include an Incident Response Plan, Data Protection Plan, Data Privacy Plan, and a Retention Policy.
- Implementation – This is the last step where the company begins implementing planned steps to increase the company’s cyber protections. It is important to note that cybersecurity should not be undertaken with a “set it and forget it” attitude. Since threats are constantly evolving it is necessary to regularly review the plan to make enhancements and upgrades as needed.
Small Business Adaption
Unfortunately, not every small business has the time and resources needed to develop a formal cybersecurity plan. However, it can be divided into small steps that deliver some protections. This includes:
- Developing cybersecurity policies.
- Conduct security awareness training for all employees.
- Installation of anti-spam and anti-malware software on the network.
- Implementation of firewalls to the protection data assets.
- Installation of endpoint detection and response.
Developing a cybersecurity plan can help a business protect delicate data and IT assets. While it is tempting to simply make piecemeal changes and updates, the reality is the resulting protections will be limited. For this reason, it is important to consult with a qualified advisor who can assess your situation. If you have questions about the information outlined above or need assistance with a cybersecurity risk assessment or with planning, JLK Rosenberger can help. For additional information call 949-860-9902 or click here to contact us. We look forward to speaking with you soon.