Top 10 Cyber Security Implementations for a Small Business

egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
Hi y'all.  I was curious in finding out what you folks feel fall into the top 10 cyber security implementations that a typical small business of 50-100 employees would need. I'm doing this as research on the security need that's in most demand so I can identify resources and acquire the skill set.  Here's a tentative list of four technologies I have just off the top of my head.  Please feel free to add to this list, subtract from it, or confirm it's validity.

1.  Implementation of End Point Security on workstations (e.g. HIDS, HIPS)
2. Implementation of a SIEM tool.
3. Implementation and configuration of an Email Security platform (e.g. Mimecast)
4. Wi-Fi Security
5. Documentation and implementation of cyber security policies.
B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+

Comments

  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    edited November 2020
    Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program. 

    https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations

    Don't forget security is not only technological control. 
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    I can't help feeling that the first five items on such a list should be "Email Security" and the last five items be "User Security Awareness Training."

    And speaking of non-technological controls, the CCC's cybersecurity baseline does not include a recommendation for dedicated IT security staff--only that such staff may exist within an org. It would be nice to see an explicit recommendation of staff whose job role is IT Security--and not have the owner's daughter/secretary be the "keeper of all the passwords."
  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    @JDMurray  maybe I am not awake enough.. but what is CCC?
  • yoba222yoba222 Member Posts: 1,237 ■■■■■■■■□□
    edited November 2020
    From what I've seen, dropping tens of thousands per year on next-gen, shiny security tech licenses does little good if the organization isn't willing to hire additional people to actually use the tech and get thoroughly trained on it. The onus for the additional tech tends to be piled on existing sysadmins/security people.

    I think I'm probably drifting off topic, and if I were to venture a guess, I'd say the most cost-effective equation for potent cybersecurity would be 75% having enough people and trained to use the tech, and 25% on the tech.

    If hiring more people isn't feasible to the small business, I'd say my top recommendation is
    1. Outsource to a SOC
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program. 

    https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations

    Don't forget security is not only technological control. 

    Thanks Steve.  That was helpful.  Is there software you use that walks you through this checklist during the actual audit or do you manually go through that list using the website link you provided?
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    egrizzly said:
    Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program. 

    https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations

    Don't forget security is not only technological control. 

    Thanks Steve.  That was helpful.  Is there software you use that walks you through this checklist during the actual audit or do you manually go through that list using the website link you provided?
    Usually, I am doing this checklist in an interview format with the IT director/owner/tech, this way I can educate them on what is cybersecurity, then after the interview, I am manually checking each control to attest that what they said is true.  Usually there is a bit of distorsion between what they said an reality. 
  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    egrizzly said:
    Canadian Cybersecurity Center have released a baseline control for SMB business (less than 500 employees). It is adapted to the reality of smaller business and that's what I am using to audit smaller company. or company starting a security program. 

    https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations

    Don't forget security is not only technological control. 

    Thanks Steve.  That was helpful.  Is there software you use that walks you through this checklist during the actual audit or do you manually go through that list using the website link you provided?
    Usually, I am doing this checklist in an interview format with the IT director/owner/tech, this way I can educate them on what is cybersecurity, then after the interview, I am manually checking each control to attest that what they said is true.  Usually there is a bit of distorsion between what they said an reality. 

    I gotcha.  Yeah, that's what I kind of figured.  So you don't use any software to walk you though this checklist?  It's all manual on a Word document or something?
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • scascscasc Member Posts: 461 ■■■■■■■□□□
    https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security

    There is a mandate here in the UK for SME's to adopt the core 10 controls mentioned to have a decent baseline in place. Check this out - may be helpful.
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
  • anthonxanthonx Member Posts: 109 ■■■□□□□□□□
    @JDMurray  maybe I am not awake enough.. but what is CCC?
    He must be talking about Canadian Cybersecurity Center (CCC).  
    AnthonX
  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    anthonx said:
    @JDMurray  maybe I am not awake enough.. but what is CCC?
    He must be talking about Canadian Cybersecurity Center (CCC).  
    Probably. 

    CCC is only asking that someone in a leadership role is responsible for IT Security. 

    "O.C 5.1 Organizations should identify someone in a leadership role who is specifically responsible for their IT security."


  • egrizzlyegrizzly Member Posts: 533 ■■■■■□□□□□
    scasc said:
    https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security

    There is a mandate here in the UK for SME's to adopt the core 10 controls mentioned to have a decent baseline in place. Check this out - may be helpful.
    Thanks scasc
    B.Sc (Info. Systems), CISSP, CCNA, CCNP, Security+
  • scascscasc Member Posts: 461 ■■■■■■■□□□
    No worries. For anyone else, these are:
    • Risk Management Regime.
    • Secure Configuration.
    • Home and mobile working.
    • Incident management.
    • Malware prevention.
    • Managing user privileges.
    • Network security.
    • Removable media controls.
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
  • Lavanyasreepada123Lavanyasreepada123 Member Posts: 1 ■■□□□□□□□□

    It’s easy to think that because you have a small business, cybercriminals will pass over attacking your company. The “not much to steal” mindset is common with small business owners in regards to cybersecurity, but it is also completely incorrect and out of sync with today’s cybersecurity best practices.

    • Use a firewall
    • Document your cybersecurity policies
    • Plan for mobile devices
    • Educate all employees
    • Enforce safe password practices

  • SteveLavoieSteveLavoie Member Posts: 1,133 ■■■■■■■■■□
    Afterall, for most attacker, they go to the low-hanging fruit.. and SMB are this kind of fruit. 
  • priyanka_agarwalpriyanka_agarwal Member Posts: 2 ■□□□□□□□□□
    I personally feel if it's an SME, they can outsource the cybersecurity rather than spending a complete army of your company. 

    But before outsourcing must think
    -what is the application you are looking to protect?
    -what will be the protocol you will follow (SAML/ OpenID Connect/ OAuth, etc) - You can get this knowledge by simply calling a demo from a company
    -What will be the long-term plan- Are you planning for IAM,- Is it on-premise or cloud?




Sign In or Register to comment.