SMBs are a regular target of cybercriminals and the impact of a cyberattack can be crippling. In fact, research shows that 43 percent of cyberattacks target small businesses, and 60 percent of small companies go out of business within six months of a cyberattack. How can SMBs prepare for a cyber-incident and survive to tell the tale?
The key is to be proactive and establish – and practice – a security/risk management program to train the organization to prepare for the worst.
I’m a realist. I know this is easier said than done. Businesses are focused on revenue, and implementing cyber security is hard to justify when your organization’s priorities are to stay solvent and focus resources on critical operations. My counter to this argument is that companies put a stick in the ground and start somewhere by applying cyber basics, or easy to perform steps, to help protect their assets, data, and employees.
Then, as an organization matures, it can use the established security program as a foundation to grow its footprint. This maturing security and risk mitigation initiative serves as a core business process to protect the organization’s new assets and ongoing strategic operations.
Starting with the basics for SMBs, I would recommend using an established risk management framework as a template to initiate the process of installing necessary cybersecurity policies and procedures. One framework I like to use is NIST’s Cybersecurity Framework centered on the five core functions of Identify, Protect, Detect, Respond, and Recover. This approach to managing risk helps organizations grow their security programs into a resilient, strategic asset that provides business value and enables them to be innovative securely.
Here are five core functions of this framework:
The business develops an understanding of its risk and then implements the capabilities to manage it. Core tasks in the Identify function are orientated towards gaining an understanding of the critical systems, assets, data, and capabilities required for business operations.
- Identify and prioritize critical business systems and processes which may be exposed to compromise. Think of the procedures, applications, data, and people required for essential operations needed by the organization to function as a business.
- Develop a Disaster Recovery and Business Continuity Plans (BC/DR) while taking into account some of the following requirements:
- Coordinate how business will work with suppliers and primary customers during a business emergency.
- Plan how the business would conduct manual or alternative business operations if required.
- Plan how the company would do offline financial transactions.
- Develop written procedures for emergency system shutdown and restart.
- Develop and test methods for retrieving and restoring backup data; periodically test backup data to verify its validity.
- Have established agreements and procedures for conducting business operations in an alternate facility/site.
- Educate and train staff on Business Operations Plan, DR/BC Plan.
The business implements a cybersecurity program with appropriate security controls and capabilities. The core tasks in the Protect function are centered on the organization developing the strategic processes to limit and contain the impact of a cybersecurity incident.
- Develop core critical “cyber hygiene” policies including acceptable use, access control, change management, information security, incident response, remote access, BYOD, email/communication, and social media.
- Implement an enterprise cybersecurity program comprised of these best practices:
- Backup business data (daily – incremental/weekly – full).
- Keep all systems updated with anti-virus and anti-malware security software.
- Keep all computer operating systems updated with current operating systems and security patches.
- Secure wireless networks with encryption and vendor recommended security procedures.
- Implement, monitor, and audit system and network logging.
- Implement access control and authentication of critical/sensitive networks and business data.
- Train employees in cybersecurity awareness and proper use of business systems.
The business implements the appropriate security controls and technologies to identify and investigate the occurrence of a cybersecurity event. The core tasks in the Detect function are focused on the timely discovery and investigation of anomalies and abnormal events through continuous monitoring and detection.
- Implement continuous assessment, monitoring and remediation of network and assets deemed critical to the business.
- Develop a training program for security personnel on the use of cyber threat intelligence and management of anomalous events.
- Develop an incident response plan for the organization’s cybersecurity teams to manage during a cyber-event by doing the following:
- Maintain a current inventory of computer assets (hardware, software, and cloud).
- Maintain a list of IT service providers and emergency/law enforcement contact information.
- Create a checklist of specific actions in the event of a cyber incident.
- Define and establish priority notification of employees.
- Define and establish priority notification of customers/clients as deemed necessary and at the appropriate time.
- Define other notifications (e.g., law enforcement).
- Account for regulatory compliance (as required).
- Conduct refresher training on incident response emergency procedures (at least annually).
The organization implements the appropriate controls and procedures to take action with regards to a confirmed cybersecurity incident. The core tasks of the Respond function are designed to support the business’ ability to contain the impact of a cybersecurity incident.
- Identify impacted/compromised systems and assess the damage.
- Implement incident response plan actions (emergency/contingency plans) to minimize the impact on business operations.
- Attempt to preserve evidence of the incident while disconnecting/segregating affected identified assets.
- Collect the affected assets’ system configuration, network, and intrusion detection logs.
- Notify appropriate internal parties, third-party vendors or authorities, and request assistance, if necessary.
- Reduce damage by removing (disconnecting) affected assets.
- Document all steps that were taken during the incident and conduct a “lessons learned” discussion to improve the incident response team’s procedures.
The organization develops and implements procedures to be activated in the event of a cybersecurity incident. The core focus of the Recover function is to keep the company in operation during such an event and assist it in recovery efforts as it returns to normal business operations.
- Restore recovered assets to periodic “recovery points” if available and use backup data to restore systems to last known “good” status.
- Ensure all backups of critical assets are stored in a physically and environmentally secured location.
- Remember updating recovered systems with current data may require the business to manually input transactions if it was conducted offline due to a cyber event.
- Create updated “clean” backup from restored asset.
- Re-establish full business operations when feasible and bring up all non-critical systems and operations.
In today’s dynamic threat environment, developing a risk management methodology is a strategic imperative for companies. NIST’s risk management functions are necessary steps an organization can follow to manage its risk and the impact of a cyber incident. It is important to begin the process; accept you need it and incorporate it into the business portfolio of critical operations that are required to be successful.