April 10, 2024

7 Cybersecurity Controls Every Small Business Should Have

Table of Contents

Introduction
Executive Summary
Policies
Technical Security Prevention Controls
Detection Controls - Logging
System Hardening
Identity Management
Internal Auditing
Vulnerability Management
Bonus: Risk Assessments
2
2
2
2
2
2
2
2
2
2

Introduction



Small businesses focus on maximizing profits and providing extreme value to their customers. Many small businesses believe their systems are not “valuable” enough for hackers to exploit their systems and data. Hackers exploit small businesses to gain access to larger organizations they work for and use the exploits found in small business systems to attack other organizations, often known as “island hopping”. Hackers also target small organizations because of the lack of security investments. According to Forbes it was found that “… small businesses with less than 100 employees will experience 350% more social engineering attacks than an employee of a larger enterprise”. What should small businesses do to protect themselves, where should they start, and what is the most protection small businesses can implement while keeping costs low but still mitigating the most high risk cyber attacks.

Executive Summary

Running an organization is hard enough, the following sections I put together my recommendations for all small-mid sized businesses ranked in order of importance and cost. I gathered these recommendations from a decade of experience and over a decade of education in Information technology and information security subjects. If you are a person who is concerned with cybersecurity threats or responsible for cybersecurity threats, this list is for you. The list covers the following areas: Governance, Prevention, Detection, Least Privileges, Account Management, Auditing, Vulnerability Management, and a bonus control. Every cybersecurity program should have controls around the areas I listed above as it will be required for most information security standards (PCI DSS, ISO, HIPPA, SOC). Yes, there are many more critically important controls, however, this is a great baseline for all small-mid sized businesses to start with.

Policies

Information security and information technology policies are what organizations can put together and require for their employees to sign, this allows businesses to inform their employees what is acceptable and what is not acceptable use, regarding information technology and data. Policies can be put together at no cost, simply use your favorite software to create a document and convert it to PDF. Then distribute among your staff and ask them to read and sign. It is recommended all policies to be reviewed and signed by each staff member that is applicable every 12 months. Below are the top policies that every business with information technology and data should have.

BYOD

  • The BYOD policy typically covers what devices are acceptable for personal to bring into the corporate network, security measures required for all devices brought into the office by personnel, Privacy and permissions regarding using their devices on the corporate network, and how off-boarding occurs for their devices that are brought into the corporate network.

Acceptable Use Policy

  • The acceptable use policy typically covers what assets the policy applies to, set rules for the assets, and consequences if policy is not followed.

Information Security Policy

  • The information security policy could be lengthy, it typically covers, responsibilities, rights, and duties of personnel, information security objectives, authority and access control policy, data classification, data support and operations, and security awareness and behavior. The information security policy may also include data backup and encryption requirements.

Technical Security Prevention Controls

Malware Protection

  • Malware protection covers tools that protect computer systems (I.T systems vulnerable to malware). This control is critical to protect your computer network from cyber attacks that render your computer systems unusable.

Email Security

  • Physical access to computer systems and emails are the primary way any hacker would target any organization. On average, your full-time employee receives 50-100 emails a day (depending on role and responsibilities), many organizations fall victim to phishing emails that expose critical passwords, client email lists, and introduce malware into your small-mid sized business. Email security prevents those phishing emails from being successful by blocking suspicious emails from being delivered (quarantined) and or labeling them as suspicious, so that your full-time employees know which emails they should pay attention to.

Encryption

Encryption is essential to protect all businesses data from falling victim of sensitive data being exposed or by having data be rendered unusable by ransomware attacks.

Detection Controls – Logging

Logging controls are up next on the list, this control allows for your cybersecurity professionals to detect attacks attempting to compromise your network (allows you to be proactive) and detect attacks that are occurring in real time. Logging allows for detection of attacks that were successful in the past but lay dormient (you may be compromised now but you don’t know it).

Identity Detection System

  • Identity detection system (IDS) is used to detect patterns of attacks using frameworks such as Mitre Att&Ck framework. With the use of IDS, your cybersecurity professionals can respond to potential cyber attacks and harden your systems accordingly.

Central Logging

  • Central logging is more of a cybersecurity architecture suggestion. A central logging solution should include a Security Information and Event Management (SIEM), which ingests all your logs (IDS and others) to provide a central view of them and enables your cybersecurity professionals to detect and investigate cyber-attack across your whole cyber threat landscape (all your computer systems from internal to external).

System Hardening

Computer System, Firewall and Server Hardening

  • Hardening is a simple configuration approach, only enable and allow what you intend your information technology system to perform. As an example, configure your access control lists on your firewall to only allow DNS, HTTPS and EMAIL protocols to exit your company computer network. This access control will prevent any exfiltration of data if your network is compromised, and the hackers are attempting to steal sensitive company data. 

Identity Management

Identity Management involves the management of your full-time employees and their access to information technology across your organization. This is important because of risks such as, shared accounts being compromised, improper access to applications and data. All risks lead to data leakage and potential computer system/application outages.

Password Manager

  • A password manager allows you as a business owner to control all access to system accounts and distribute them accordingly, this helps prevent passwords from being compromised and also helps with the “I forgot my password” issue that plagues most organizations.

Least Privilege

  • Least privilege is a way to provide access to a full-time employee to a computer system or application. This is more of ensuring only appropriate permissions are provided when full time employees are onboarded, every business should be asking their IT staff what access is being provided and ensure no other permissions is granted.

Internal Auditing

Internal auditing is a process that ensures all controls in place are working as expected and there isn’t any gaps from your understanding as a business owner and your technical and management staff. The following are controls and processes that should be in place that will help enforce all cybersecurity controls, discovering controls that are not in place and allowing you as a business owner to make decisions as your move forward.

Account Reviews

  • Account reviews is a business process that goes over all accounts that are used to access systems/applications, it is a great way to ensure least privilege and password manager is being used. All accounts that should have been removed will be discovered and inactive accounts could be removed.

IT System List

  • Keeping track of all your information technology systems/applications is a great way to ensure you are aware of what systems/applications your organization depends on and what systems are the most critical. Knowing your organization’s key systems/applications allows you to make decisions on protecting each of them according to their impact on the organization.

Risk Assessments

Identify critical business processes and their risks, this process involves the key department leaders to understand what business processes are performed to enable their organization to operate, from there your cybersecurity professionals can build controls to mitigate risks to those processes. As an example, if your organization is a fintech company, a risk is cardholder data leakage, your risk assessment will determine the likelihood and impact of a cardholder data leak and what controls should be in place to protect against such a risk.

Vulnerability Management

Simply put, vulnerability management is the process of discovering your computer system/application vulnerabilities. Vulnerabilities are the door in which a cyber threat compromises your organization. The process of discovering, analyzing and patching/mitigating vulnerabilities is vulnerability management.

Bonus: Backups

Backups are critical to every business to ensure business resilience. Backups help reduce the impact of cyber attacks if they are successful, allowing your organization to recover quickly in an event of a cyber-attack. Be sure you encrypt your backups to protect yourself from ransomware infecting them.