Small and mid-size business owners may not may not find the Federal Government to be very warm and fuzzy… but every once in a while they get something right. So, when it comes to Cyber Security for smaller businesses NIST1 and CISA2 really are putting together helpful heaps of free information that you can use to protect your network. If you own or manage an SMB chances are likely that you are looking for all the free info and support that you can find. In our first blog series, we will begin with the basic CISA recommendations in our own words:
- To the Owners and Managers! You set the pace and the priorities for your business and your staff follow. Set Cyber Security as a high priority. Then, consider and plan for it as a risk. Invest time and resources to identify IT dependencies, have a disaster recovery plan AND a business continuity plan, and invest in Cyber Security defense. If you do not plan and invest, not only will your network be vulnerable, but your staff will think that Cyber Security is not important and will behave that way.
- Getting training for your staff in Cyber Security defense should be at the top of your To Do list for 2020. At the very least, bring in a CyberSec trainer to talk to your employees and administrative staff about phishing/email attacks, online browsing security, the cost of inviting malware into your network, and social media attacks. You can not defend your business if you do not know the methods of attack or the threats that are out there.
- Don’t think of your network as a series of magic boxes or a convenient calculator. Think of your network as the safe that you keep your gold in! It must be maintained and guarded. Hardware and software (especially Operating Systems) need regular maintenance. Operating systems should have automatic or weekly scheduled updates enabled for workstations AND servers. Network devices like switches and firewalls should have firmware updates set as frequently as they are available. Take the time to white-list the applications that you want to allow on your network and black-list those that should be blocked, then make sure that there is a mechanism to block the bad apps from being installed. Similarly, you should have some monitoring on even the smallest networks – to report on Anti-virus, email spam, security and system events, and system health.
- Make sure that you are using the right tools to limit user rights and permissions to just what your staff needs to do their jobs, without any extra access. Active Directory is one such tool, but you should also have physical access controls (your cleaning people should not have access to your router closet) Guests and customers should have separate Wi-Fi access and should not be able to plug an USB into the computer in Reception. And, do not listen to the complaints about the extra steps that users have to take when you consider implementing multi-factor authentication – it is a simple step to take, that adds a lot of security!
- There is a growing focus on backing up data and having a computing recovery plan in place. Embrace the truth… stuff happens to everyone! Power outages, storm floods, wildfires, ransomware, and data breaches have to be expected and planned for. Backup and recovery to the Cloud is how you will keep a copy of your data, and a ready virtual server set to restore your business when bad stuff happens.
- Remember our school fire-drills? Only with a plan and some practice will your team know how to respond to an emergency. Incident response, disaster recovery plans, policies, and business continuity plans are how you and your staff will plan and drill for accidents before they happen. Sit down and have a round table with your staff – work out 1 or 2 scenarios at a time. If you had flood damage in your office, do you have paper instructions to follow? Who are your business’ first responders? How long can you afford to be off-line? Do you have a backup of yesterday’s work?
As the saying goes – this is just the tip of the iceberg. Join us next time for the second part in this series, when we go into a bit more detail about the cyber security needs of SMBs.
1 NIST National Institute of Standards and Technology https://www.nist.gov/
2 CISA Cybersecurity & Infrastructure Security Agency (affiliate of Department of Homeland Security https://www.cisa.gov/