Cybersecurity today has evolved from an IT problem to a business priority. Despite the shift, business leaders are overwhelmed by cybersecurity technical jargon and complex standards. The threats and technologies change every day and there are thousands of security solutions available to you that might solve a problem you don’t have.
In this article we review the four top items you can review today to tighten the secure posture of your company.
In a rush? Download our infographic.
Step 1. Identify and Lead
The first step in security planning is to establish a clear list of services and data critical to the operation of the business. Start by creating an inventory of applications, technology vendors, and data. Consider the following discovery:
- What data is critical to your business?
- Who has access to this data? Can you tighten and limit access anywhere?
- Where is your data stored and how is it protected?
- What would be the impact of a potential breach?
- Are there any compliance requirements? (HIPAA, PCI, etc.)
- Do you have a defined onboarding and offboarding plan?
- What assets need to be locked away, and when?
Investing in security is a business decision, and you should align the cost to protect with what the asset is worth to the organization. By answering these questions, critical and vulnerable assets are prioritized in requiring resiliency and security.
Security Sponsorship
Acceptable use policies and security training are important to business security but can cause tension among teammates if the purpose of these policies and processes is not communicated. It’s important to approach and communicate the firm’s security as a business need rather than just a technical issue. As a business leader, being an early adopter and champion for security policies and initiatives will model that security changes are purposeful and important.
2. Detection & Response Plan
A failure in even the most sophisticated security systems is a lack of planning and ongoing maintenance. The newest and most robust firewall on the market will be rendered meaningless if it isn’t patched and maintained. Effective detective and response planning for small businesses should include the processes to continually develop and update the security that is in place.
Develop a clear plan to mitigate, detect and respond to potential cybersecurity incidents. Ensure that:
- Antivirus software is deployed and regularly updated.
- Hardware is patched and maintained.
- Users are regularly trained on policies and common attacks.
- There’s a defined process for notifying relevant parties in case of an incident
- You’ve identified all stakeholders (internal and external) who need to be informed in the event of a breach
This step addresses many high-level best practices in a cybersecurity framework. To dive deeper, refer to page 6 of the NIST Resource and Overview Guide or contact Salt Peak and we’ll help assess solutions to protect your critical assets found in discovery.
3. Enable Multi-Factor Authentication (MFA)
One of the simplest and effective cybersecurity steps you can take today is implementing MFA across your business. This is one of the top recommended security practices by CISA and goes far in enhancing your organization’s security posture without a large upfront investment.
What is MFA? Multi-factor authentication is also defined as two-step authentication. Simply put, you have to prove who you are twice. MFA is accomplished when a user is asked for something they know, like a password, something they are, like a fingerprint scan, or something they have, like an authentication app or an SMS confirmation.
Apply this to:
- Business phone service logins
- Microsoft and Google accounts (personal and business)
- Banking and payroll logins
- Password managers
- Social media accounts
- Insurance and benefits services
- Customer data repositories (CRMs, online ordering systems)
4. Recovery Planning
Prepare for the worst by creating a recovery plan. For a small business with limited technical assets, a basic outline of what’s being backed up and the relative contacts and responsibilities is a great start in addition to confirming and documenting data recovery plans.
- Identify any gaps in your backup data – if there was a breach today, what data could you lose?
- Establish a clear process for data restoration, defining steps and necessary contacts.
- Assign communications responsibilities by defining internal and external stakeholders that need to be notified when there’s a confirmed incident. This may include customers and law enforcement agencies. It’s important to understand what regulations apply to your organization.
It can feel counter intuitive to spend time planning for what to do when there’s an incident in your network, after all, the whole point of this checkup is to avoid an incident in the first place. Threats are evolving every day, and while its critically important to protect from them, it’s equally important to know how to respond and recover should there be a breach.
Take the Next Step
While this checklist provides a solid foundation and first step, cybersecurity is an ongoing process. If you’re unsure about your results or need assistance implementing these measures, consider partnering with a business consultant specializing in cybersecurity like Salt Peak who can guide you through a more comprehensive audit and help resolve any vulnerabilities.
Remember, as a business leader, your role in championing cybersecurity is crucial. By approaching it as a business need rather than just a technical issue, you’re taking a significant step towards protecting your company’s future. Stay vigilant, stay secure, and lead your business confidently into the digital age.
References and Additional resources
This guide is intended to be your first step and does not reflect the entirety of the comprehensive frameworks published by the US government. Check out these resources for more cybersecurity resources published by NIST, CISA, and the FTC.
- NIST Cybersecurity Framework 2.0. November 11, 2024
- NIST Cybersecurity Framework 2.0: Resource & Overview Guide. February 2024
- NIST Cybersecurity Framework 2.0: Small Business Quickstart Guide. February 2024
- More than a password (cisa.gov) November 11, 2024
- CISA’s Cyber Essentials Webinar, 2021
- FTC’s Cybersecurity for Small Business November 11, 2024
Leave a Reply