Top 10 Cyber Security Implementations for a Small Business
egrizzly
Member Posts: 533 ■■■■■□□□□□
Hi y'all. I was curious in finding out what you folks feel fall into the top 10 cyber security implementations that a typical small business of 50-100 employees would need. I'm doing this as research on the security need that's in most demand so I can identify resources and acquire the skill set. Here's a tentative list of four technologies I have just off the top of my head. Please feel free to add to this list, subtract from it, or confirm it's validity.
1. Implementation of End Point Security on workstations (e.g. HIDS, HIPS)
2. Implementation of a SIEM tool.
3. Implementation and configuration of an Email Security platform (e.g. Mimecast)
4. Wi-Fi Security
5. Documentation and implementation of cyber security policies.
1. Implementation of End Point Security on workstations (e.g. HIDS, HIPS)
2. Implementation of a SIEM tool.
3. Implementation and configuration of an Email Security platform (e.g. Mimecast)
4. Wi-Fi Security
5. Documentation and implementation of cyber security policies.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
Comments
-
SteveLavoie Member Posts: 1,133 ■■■■■■■■■□Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program.
https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations
Don't forget security is not only technological control. -
JDMurray Admin Posts: 13,088 AdminI can't help feeling that the first five items on such a list should be "Email Security" and the last five items be "User Security Awareness Training."
And speaking of non-technological controls, the CCC's cybersecurity baseline does not include a recommendation for dedicated IT security staff--only that such staff may exist within an org. It would be nice to see an explicit recommendation of staff whose job role is IT Security--and not have the owner's daughter/secretary be the "keeper of all the passwords." -
yoba222 Member Posts: 1,237 ■■■■■■■■□□From what I've seen, dropping tens of thousands per year on next-gen, shiny security tech licenses does little good if the organization isn't willing to hire additional people to actually use the tech and get thoroughly trained on it. The onus for the additional tech tends to be piled on existing sysadmins/security people.
I think I'm probably drifting off topic, and if I were to venture a guess, I'd say the most cost-effective equation for potent cybersecurity would be 75% having enough people and trained to use the tech, and 25% on the tech.
If hiring more people isn't feasible to the small business, I'd say my top recommendation is- Outsource to a SOC
A+, Network+, CCNA, LFCS,
Security+, eJPT, CySA+, PenTest+,
Cisco CyberOps, GCIH, VHL,
In progress: OSCP -
egrizzly Member Posts: 533 ■■■■■□□□□□SteveLavoie said:Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program.
https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations
Don't forget security is not only technological control.
Thanks Steve. That was helpful. Is there software you use that walks you through this checklist during the actual audit or do you manually go through that list using the website link you provided?B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
SteveLavoie Member Posts: 1,133 ■■■■■■■■■□egrizzly said:SteveLavoie said:Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program.
https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations
Don't forget security is not only technological control.
Thanks Steve. That was helpful. Is there software you use that walks you through this checklist during the actual audit or do you manually go through that list using the website link you provided? -
egrizzly Member Posts: 533 ■■■■■□□□□□SteveLavoie said:egrizzly said:SteveLavoie said:Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program.
https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations
Don't forget security is not only technological control.
Thanks Steve. That was helpful. Is there software you use that walks you through this checklist during the actual audit or do you manually go through that list using the website link you provided?
I gotcha. Yeah, that's what I kind of figured. So you don't use any software to walk you though this checklist? It's all manual on a Word document or something?B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
scasc Member Posts: 465 ■■■■■■■□□□https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security
There is a mandate here in the UK for SME's to adopt the core 10 controls mentioned to have a decent baseline in place. Check this out - may be helpful.AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia... -
anthonx Member Posts: 109 ■■■□□□□□□□SteveLavoie said:@JDMurray maybe I am not awake enough.. but what is CCC?AnthonX
-
SteveLavoie Member Posts: 1,133 ■■■■■■■■■□anthonx said:SteveLavoie said:@JDMurray maybe I am not awake enough.. but what is CCC?
CCC is only asking that someone in a leadership role is responsible for IT Security.
"O.C 5.1 Organizations should identify someone in a leadership role who is specifically responsible for their IT security."
-
egrizzly Member Posts: 533 ■■■■■□□□□□scasc said:https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security
There is a mandate here in the UK for SME's to adopt the core 10 controls mentioned to have a decent baseline in place. Check this out - may be helpful.B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+ -
scasc Member Posts: 465 ■■■■■■■□□□No worries. For anyone else, these are:
- Risk Management Regime.
- Secure Configuration.
- Home and mobile working.
- Incident management.
- Malware prevention.
- Managing user privileges.
- Network security.
- Removable media controls.
AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia... -
Lavanyasreepada123 Member Posts: 1 ■■□□□□□□□□
It’s easy to think that because you have a small business, cybercriminals will pass over attacking your company. The “not much to steal” mindset is common with small business owners in regards to cybersecurity, but it is also completely incorrect and out of sync with today’s cybersecurity best practices.
- Use a firewall
- Document your cybersecurity policies
- Plan for mobile devices
- Educate all employees
- Enforce safe password practices
-
SteveLavoie Member Posts: 1,133 ■■■■■■■■■□Afterall, for most attacker, they go to the low-hanging fruit.. and SMB are this kind of fruit.
-
priyanka_agarwal Member Posts: 2 ■□□□□□□□□□I personally feel if it's an SME, they can outsource the cybersecurity rather than spending a complete army of your company.
But before outsourcing must think
-what is the application you are looking to protect?
-what will be the protocol you will follow (SAML/ OpenID Connect/ OAuth, etc) - You can get this knowledge by simply calling a demo from a company
-What will be the long-term plan- Are you planning for IAM,- Is it on-premise or cloud?