Cyber-crime is a growing concern for businesses of every size, but especially for small businesses. This is because small businesses have information attackers want but, often don’t have the security infrastructure to defend against or respond to attacks. Top risks for small businesses include malware, viruses, ransomware, and phishing. According to the FBI Internet Crime Report, the cost of cyber-crime was $2.7 Billion dollars in 2018, with Business Email Compromise (BEC) incurring the highest costs.
So where should small businesses start with cybersecurity? One excellent place to start is cyber hygiene. Center for Internet Security (CIS) defines cyber hygiene as the essential and fundamental protections that should be put in place to protect against common attacks. These security controls comprise the first six parts of version 7 of the CIS Controls :
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Maintenance, Monitoring, and Analysis of Audit Logs
Many small businesses will have limited resources to implement the sub-controls in each control, and will, therefore, fall into Implementation Group 1. By focusing on fundamental security controls, with recommendations tailored to implementation groups based on resource availability, and the sensitivity of their data, a small business can get an excellent start on improving their security posture. One of the strengths of the CIS Controls is the guidance they provide on getting the greatest risk reduction possible given the resources available.
Many other tools and resources are available to such as the Department of Homeland Security’s free cyber-hygiene vulnerability scanning for small businesses. CIS itself offers a lot of tools and resources ranging from benchmarks for securing specific systems, a risk assessment methodology, mapping of CIS controls to the NIST cybersecurity framework and hardened operating system images. In the ever-changing world of technology, it can be hard to keep up with new threats. The good news is, there is a lot a small business can do to greatly reduce risk by focusing their efforts where it counts.