Top 10 Cyber Security Implementations for a Small Business

Hi y'all. I was curious in finding out what you folks feel fall into the top 10 cyber security implementations that a typical small business of 50-100 employees would need. I'm doing this as research on the security need that's in most demand so I can identify resources and acquire the skill set. Here's a tentative list of four technologies I have just off the top of my head. Please feel free to add to this list, subtract from it, or confirm it's validity.

1. Implementation of End Point Security on workstations (e.g. HIDS, HIPS)
2. Implementation of a SIEM tool.
3. Implementation and configuration of an Email Security platform (e.g. Mimecast)
4. Wi-Fi Security
5. Documentation and implementation of cyber security policies.

Find more posts tagged with

top ten cyber security

cyber checklist

Comments

SteveLavoie

Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program.

https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations

Don't forget security is not only technological control.

JDMurray

I can't help feeling that the first five items on such a list should be "Email Security" and the last five items be "User Security Awareness Training."

And speaking of non-technological controls, the CCC's cybersecurity baseline does not include a recommendation for dedicated IT security staff--only that such staff may exist within an org. It would be nice to see an explicit recommendation of staff whose job role is IT Security--and not have the owner's daughter/secretary be the "keeper of all the passwords."

SteveLavoie

@JDMurray maybe I am not awake enough.. but what is CCC?

yoba222

From what I've seen, dropping tens of thousands per year on next-gen, shiny security tech licenses does little good if the organization isn't willing to hire additional people to actually use the tech and get thoroughly trained on it. The onus for the additional tech tends to be piled on existing sysadmins/security people.

I think I'm probably drifting off topic, and if I were to venture a guess, I'd say the most cost-effective equation for potent cybersecurity would be 75% having enough people and trained to use the tech, and 25% on the tech.

If hiring more people isn't feasible to the small business, I'd say my top recommendation is

Outsource to a SOC

egrizzly

SteveLavoie said:

Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program.

https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations

Don't forget security is not only technological control.

Thanks Steve. That was helpful. Is there software you use that walks you through this checklist during the actual audit or do you manually go through that list using the website link you provided?

SteveLavoie

egrizzly said:

SteveLavoie said:

Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program.

https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations

Don't forget security is not only technological control.

Thanks Steve. That was helpful. Is there software you use that walks you through this checklist during the actual audit or do you manually go through that list using the website link you provided?

Usually, I am doing this checklist in an interview format with the IT director/owner/tech, this way I can educate them on what is cybersecurity, then after the interview, I am manually checking each control to attest that what they said is true. Usually there is a bit of distorsion between what they said an reality.

egrizzly

SteveLavoie said:

egrizzly said:

SteveLavoie said:

Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program.

https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations

Don't forget security is not only technological control.

Thanks Steve. That was helpful. Is there software you use that walks you through this checklist during the actual audit or do you manually go through that list using the website link you provided?

Usually, I am doing this checklist in an interview format with the IT director/owner/tech, this way I can educate them on what is cybersecurity, then after the interview, I am manually checking each control to attest that what they said is true. Usually there is a bit of distorsion between what they said an reality.

I gotcha. Yeah, that's what I kind of figured. So you don't use any software to walk you though this checklist? It's all manual on a Word document or something?

scasc

https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security

There is a mandate here in the UK for SME's to adopt the core 10 controls mentioned to have a decent baseline in place. Check this out - may be helpful.

anthonx

SteveLavoie said:

@JDMurray maybe I am not awake enough.. but what is CCC?

He must be talking about Canadian Cybersecurity Center (CCC).

SteveLavoie

anthonx said:

SteveLavoie said:

@JDMurray maybe I am not awake enough.. but what is CCC?

He must be talking about Canadian Cybersecurity Center (CCC).

Probably.

CCC is only asking that someone in a leadership role is responsible for IT Security.

"O.C 5.1 Organizations should identify someone in a leadership role who is specifically responsible for their IT security."

egrizzly

scasc said:

https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security

There is a mandate here in the UK for SME's to adopt the core 10 controls mentioned to have a decent baseline in place. Check this out - may be helpful.

Thanks scasc

scasc

No worries. For anyone else, these are:

Risk Management Regime.
Secure Configuration.
Home and mobile working.
Incident management.
Malware prevention.
Managing user privileges.
Network security.
Removable media controls.

Lavanyasreepada123

It’s easy to think that because you have a small business, cybercriminals will pass over attacking your company. The “not much to steal” mindset is common with small business owners in regards to cybersecurity, but it is also completely incorrect and out of sync with today’s cybersecurity best practices.

Use a firewall
Document your cybersecurity policies
Plan for mobile devices
Educate all employees
Enforce safe password practices

SteveLavoie

Afterall, for most attacker, they go to the low-hanging fruit.. and SMB are this kind of fruit.

priyanka_agarwal

I personally feel if it's an SME, they can outsource the cybersecurity rather than spending a complete army of your company.

But before outsourcing must think
-what is the application you are looking to protect?
-what will be the protocol you will follow (SAML/ OpenID Connect/ OAuth, etc) - You can get this knowledge by simply calling a demo from a company
-What will be the long-term plan- Are you planning for IAM,- Is it on-premise or cloud?