Cybersecurity and small business

Small business incidents and impacts Unfortunately, another notable trend is that data breaches and cyberattacks involving small- and medium-sized business are on the rise. While small and medium-sized businesses struggle to maintain effective cybersecurity, primarily because of resource constraints, cybercriminals are increasingly targeting smaller entities. Given the cost of recovering from a data breach far exceeds the cost of preventing one, addressing this risk is no longer an option. Small business resources Appendix III provides a summary of the global Center for Internet Security, Inc. (CIS^®) framework of cybersecurity controls. The structure of this framework includes identification of controls by different implementation groups (IGs), with IG1 being enterprises that are ‘small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel’. In addition to the CIS framework, there are other resources targeted to this audience. In the United States, CISA developed a Cyber Essentials Starter Kit: The Basics for Building a Culture of Cyber Readiness. CISA’s Essentials Starter Kit is a guide for leaders of small businesses and small and local government agencies that is consistent with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and can be used as a starting point for cyber readiness. According to the Essentials Starter Kit, building a culture of cyber readiness has six essential elements:

Yourself. Drive cybersecurity strategy, investment, and culture.

Your staff. Develop security awareness and vigilance.

Your systems. Protect critical assets and applications.

Your surroundings. Ensure only those who belong on your digital workplace have access.

Your data. Make backups and avoid loss of information critical to operations.

Your crisis response. Limit damage and quicken restoration of normal operations.²⁶

The Essentials Starter Kit also identifies ‘things to do first’ including:

Backup data. Employ a backup solution that automatically and continuously backs up critical data and system configurations.

Multifactor authentication. Require multifactor authentication (MFA) for accessing your systems whenever possible.

Patch and update management. Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.²⁷

The UK National Cyber Security Centre (NCSC) has developed a Cyber Essentials certification program (delivered by IASME) that demonstrates an organization has implemented the most important controls. The basic Cyber Essentials is a self-assessment option. Cyber Essentials Plus involves a hands-on technical verification.²⁸

Reducing your organization’s cyber risks requires a holistic approach.