Small Business Security Challenges

n

n

Security Experts’ Advice on Achieving Cyber Resilience – May 8

n

Don’t get caught up in the hype. Find out what actually keeps securitynleaders up at night. Join Fortra’s CISO for a full panel discussion with topnindustry leaders on how to deliver security outcomes.

n

Register Now

n

 

n

Small Business Security Challengesn

n

nCybersecurity is difficult for small businesses, but there is help andnsupport so that even the smallest organization can stay on top of essentialnsecurity.n

n

nBeing a smaller organization has many benefits and challenges at the best ofntimes. It can often be a tricky issue from a cybersecurity perspective. Onnone hand you’re probably too small to have a dedicated cyber function – itnmay well even be a stretch to afford a full-time IT manager. Yet on thenother side of the coin, in everything but the smallest company the potentialnimpact of a cyber-attack can be devastating in terms of financial ornreputational damage, or even job losses if things go really bad.n

n

nThere is some good news, though: the basics of security aren’t that hard,nand you don’t need to be a cyber specialist to do them. There’s anGovernment-led standard in the UK callednnCyber Essentials, which will be ten years old in June 2024, at whose core there are fiventhings that any small business can do to take a huge step toward effectivensecurity. The great thing is that anyone with a half-decent knowledge of ITncan do everything it suggests – you don’t need to be a cyber guru.n

n

nWhere to Beginn

n

nFirst, get a firewall. This is easy, because if you have a home or businessnbroadband connection, the router that drives it has a firewall built in.nMake sure you change the “admin” password to something complex andnunguessable and make sure the checkbox that allows it to be managed from outnon the internet is unticked. Most of the time inbound connections from theninternet will be blocked by default, so there’s really not much you have tondo (and the user manual will guide you through the things we just suggestednyou do).n

n

nNext is secure configuration – which sounds technical but isn’t really. Itnprimarily covers the fact that, like the router example we just gave, a lotnof IT kit comes with default “admin” passwords – so change them to somethingnsensible. It’s also quite common to find that there are other admin-likenuser IDs built into equipment that you wouldn’t necessarily know aboutnunless you looked properly, so hunt them down and disable them or change thenpassword. For example, I once pointed out to a client that although they hadndiligently changed the “admin” password on a core system, they didn’t knownthere was also a “root” account with the same privileges and a defaultnpassword that could be Googled. Also, when looking at “securenconfiguration”, this includes ensuring that computers auto-lock theirnscreens after a minute or two unused, demanding a password before lettingnthe user back in.n

n

nPatch Itn

n

nMoving on, we have update management. Another technical-sounding concept butnall it means is make sure your equipment is updated regularly. Mostnoperating systems – particularly Windows and MacOS, which covers thenmajority of desktop and laptop computers – already have automated updatesnenabled, so to be secure requires nothing except to ensure they’re turned onnat least once a week for a few hours to give the updater a chance to run.nServers and network devices often have auto-update facilities too, so enablenthem on everything that you don’t mind rebooting itself without warning. Fornthe remainder, make sure you run the updater manually at least once a week.n

n

nFourth on the list is user access control. This is probably the mostntechnical of the five elements we will talk about here, because you mustnknow a certain amount about how the file permissions mechanisms work on yournfile servers, Microsoft 365 repositories and so on. One of the biggestnreasons why ransomware can have such a massive impact is that so many smallnbusinesses have several user IDs configured as administrators because that’snthe easiest way to ensure that users can access everything they need. If youndon’t have someone technical on staff, this is the opportunity to hire onenor engage some freelance or agency help for a few hours to help design yournpermissions using (and this is a technical cyber term) the Principle ofnLeast Privilege – that is, giving everyone access to everything they neednand nothing else. Proper access control to a system with, say, a millionnfiles is the difference between ransomware infecting the 50,000 files tonwhich the compromised user has access and ransomware infecting everything.n

n

nAnd finally: use anti-malware (antivirus, or AV) software. While malware isnnot the only way to hack a system it’s most definitely the most popular. Inna Windows world, the built-in Defender product is a great start, but AVnsoftware is so inexpensive that there’s no harm augmenting it with one ofnthe popular AV products because the vendors of those packages do AV for anliving, not just as a small corner of their product portfolio.n

n

nRequirements and Expectationsn

n

nIn the UK, formal Cyber Essentials certification is something that younpretty muchnnhave to havennif you’re going to be a supplier to the Government in some product ornservice areas. Even if there is no compulsion to have it to do business,nthough, common sense says that small businesses should adopt the principlesnin the name of best practice.n

n

nIf you’re among the majority of ISC2 members outside the U.K., CybernEssentials is still relevant to you because, quite simply, it’s a set ofnincredibly simple thing that anyone – individual or business – can do, andnwith a variety of sources (includingnnthis onennwe chose at random from a list of several). While you may not be able tonachieve formal Cyber Essentials certification, the point is that it’s anplaybook to follow that with minimal effort and modest technical ability youncan use to become surprisingly secure.n

n

n
• n Find out more about our online training programn Quantifyingn Risk Factors in Small to Medium Businessesn
n
• n n The ISC2n n Cybersecurity Health Checkn n program matches volunteers with small businesses to help them understandn their current cyber risk level and ways to minimize that riskn n
n
• n n Learn more aboutn n ISC2 Certified in Cybersecurityn n (CC) andn n our program to offer free courseware and exams to one million peoplen n n
n

n

nn

]]>