Top 10 Cyber Security Implementations for a Small Business

egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+Member Posts: 385 ■■■■□□□□□□
Hi y'all.  I was curious in finding out what you folks feel fall into the top 10 cyber security implementations that a typical small business of 50-100 employees would need. I'm doing this as research on the security need that's in most demand so I can identify resources and acquire the skill set.  Here's a tentative list of four technologies I have just off the top of my head.  Please feel free to add to this list, subtract from it, or confirm it's validity.

1.  Implementation of End Point Security on workstations (e.g. HIDS, HIPS)
2. Implementation of a SIEM tool.
3. Implementation and configuration of an Email Security platform (e.g. Mimecast)
4. Wi-Fi Security
5. Documentation and implementation of cyber security policies.

Comments

  • SteveLavoieSteveLavoie Member Posts: 901 ■■■■■■■■□□
    edited November 21
    Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program. 

    https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations

    Don't forget security is not only technological control. 
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,947 Admin
    I can't help feeling that the first five items on such a list should be "Email Security" and the last five items be "User Security Awareness Training."

    And speaking of non-technological controls, the CCC's cybersecurity baseline does not include a recommendation for dedicated IT security staff--only that such staff may exist within an org. It would be nice to see an explicit recommendation of staff whose job role is IT Security--and not have the owner's daughter/secretary be the "keeper of all the passwords."
  • SteveLavoieSteveLavoie Member Posts: 901 ■■■■■■■■□□
    @JDMurray  maybe I am not awake enough.. but what is CCC?
  • yoba222yoba222 Senior Member Member Posts: 1,207 ■■■■■■■■□□
    edited November 21
    From what I've seen, dropping tens of thousands per year on next-gen, shiny security tech licenses does little good if the organization isn't willing to hire additional people to actually use the tech and get thoroughly trained on it. The onus for the additional tech tends to be piled on existing sysadmins/security people.

    I think I'm probably drifting off topic, and if I were to venture a guess, I'd say the most cost-effective equation for potent cybersecurity would be 75% having enough people and trained to use the tech, and 25% on the tech.

    If hiring more people isn't feasible to the small business, I'd say my top recommendation is
    1. Outsource to a SOC
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ Member Posts: 385 ■■■■□□□□□□
    Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program. 

    https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations

    Don't forget security is not only technological control. 

    Thanks Steve.  That was helpful.  Is there software you use that walks you through this checklist during the actual audit or do you manually go through that list using the website link you provided?
  • SteveLavoieSteveLavoie Member Posts: 901 ■■■■■■■■□□
    egrizzly said:
    Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program. 

    https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations

    Don't forget security is not only technological control. 

    Thanks Steve.  That was helpful.  Is there software you use that walks you through this checklist during the actual audit or do you manually go through that list using the website link you provided?
    Usually, I am doing this checklist in an interview format with the IT director/owner/tech, this way I can educate them on what is cybersecurity, then after the interview, I am manually checking each control to attest that what they said is true.  Usually there is a bit of distorsion between what they said an reality. 
  • egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ Member Posts: 385 ■■■■□□□□□□
    egrizzly said:
    Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program. 

    https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations

    Don't forget security is not only technological control. 

    Thanks Steve.  That was helpful.  Is there software you use that walks you through this checklist during the actual audit or do you manually go through that list using the website link you provided?
    Usually, I am doing this checklist in an interview format with the IT director/owner/tech, this way I can educate them on what is cybersecurity, then after the interview, I am manually checking each control to attest that what they said is true.  Usually there is a bit of distorsion between what they said an reality. 

    I gotcha.  Yeah, that's what I kind of figured.  So you don't use any software to walk you though this checklist?  It's all manual on a Word document or something?
  • scascscasc Member Posts: 340 ■■■■■□□□□□
    https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security

    There is a mandate here in the UK for SME's to adopt the core 10 controls mentioned to have a decent baseline in place. Check this out - may be helpful.
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSTRT, GSNA, GDSA, GCSA, GCCC, CEH, ECSA, CHFI, TOGAF, CISMP
  • anthonxanthonx CISA, CRISC, CISM, CDPSE True NorthMember Posts: 105 ■■■□□□□□□□
    @JDMurray  maybe I am not awake enough.. but what is CCC?
    He must be talking about Canadian Cybersecurity Center (CCC).  
    AnthonX
  • SteveLavoieSteveLavoie Member Posts: 901 ■■■■■■■■□□
    anthonx said:
    @JDMurray  maybe I am not awake enough.. but what is CCC?
    He must be talking about Canadian Cybersecurity Center (CCC).  
    Probably. 

    CCC is only asking that someone in a leadership role is responsible for IT Security. 

    "O.C 5.1 Organizations should identify someone in a leadership role who is specifically responsible for their IT security."


  • egrizzlyegrizzly B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ Member Posts: 385 ■■■■□□□□□□
    scasc said:
    https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security

    There is a mandate here in the UK for SME's to adopt the core 10 controls mentioned to have a decent baseline in place. Check this out - may be helpful.
    Thanks scasc
  • scascscasc Member Posts: 340 ■■■■■□□□□□
    No worries. For anyone else, these are:
    • Risk Management Regime.
    • Secure Configuration.
    • Home and mobile working.
    • Incident management.
    • Malware prevention.
    • Managing user privileges.
    • Network security.
    • Removable media controls.
    MSc, BSc (Hons), AWS CSA, C-CISO, CISSP, CCSP, CCSK, CISM, CISA, CRISC, GSTRT, GSNA, GDSA, GCSA, GCCC, CEH, ECSA, CHFI, TOGAF, CISMP
Sign In or Register to comment.