Creating a Cybersecurity and Incidence Response Strategy for Small Offices

CYBER ATTACKS cost billions of dollars each year, and small businesses are particularly vulnerable. A complicated and ever-changing array of security infrastructure threats requires dedicated and vigilant awareness of the risks and how-tos of mitigation. Costly investments in IT personnel and training, servers and software, cloud storage and email services, website and domain security can feel daunting. Fortunately, resource-rich, yet no-cost tools can help guide small businesses in developing cybersecurity resilience, helping them develop a detailed cybersecurity plan and create a cyber incidence response, so if an attack happens, corrective actions can minimize damages.

Gaining Cybersecurity Resilience

Cybersecurity resilience begins at the top with the decision to invest in the most effective infrastructure possible and to ensure employees at every level are active participants in protecting the business.

The leading causes of small business data breaches are employees and communication flow. Visiting a malicious website or clicking on an infected link can expose businesses to costly threats and liabilities. As such, a cybersecurity plan must include employee resilience and continuous training to identify and avoid the pitfalls of scammers, phishers and the many types of malware that can infect businesses.

A Department of Homeland Security (DHS)/Carnegie Mellon University partnership offers a self-administered or DHS-conducted, non-technical assessment that helps businesses gauge their own cybersecurity strengths and weaknesses. To access the DHS/Carnegie Mellon tool, visit the Cybersecurity & Infrastructure Security Agency website at cisa.gov, then click on Resources & Tools, Services and Cyber Resilience Review.

The Federal Trade Commission’s (FTC) website is also full of resources that help small businesses and their employees understand and identify risks. The site provides training videos such as “Scams and Your Small Business” and quizzes such as “Defending Against Ransomware and Cybersecurity” that use real-world situations that can start discussions and create opportunities to highlight internal challenges, concerns and solutions. To access the FTC training tools, visit FTC.gov, then click on Advice and Guidance, Business Guidance, For Small Business and then Cybersecurity. DHS also provides employee training resources called Stop.Think.Connect., accessible at www.stopthinkconnect.org.

Developing or Strengthening a Cybersecurity Plan

A well-thought-out and detailed cybersecurity plan is a central concern for any business. From protecting employee personal data, patient health information, customer payment methods and so much more, many crucial decision points help to safeguard multiple types of data. So, when developing and implementing a cybersecurity plan, it’s time to call in the experts.

Data is most at risk when it is on the move: uploading and downloading from a cloud-based server, when emails and their associated attachments are beaming from one location to another, when patients and employees are logging into portals remotely, etc. All of these entry points are opportunities for hackers to access sensitive business, personal, personnel and medical information.

Common-sense security is layered with up-to-date software, antivirus software, firewalls, passwords, multi-factor authentication and encryption. But, how should businesses configure networks to ensure maximum protections? The front door of any cybersecurity protection plan is the Internet connection. An internal company network must differ from a public-facing Internet and should employ all the aforementioned layered security mechanisms. It should also be accessible only by specific allowed devices and users while ensuring that business operations can be conducted effectively.

A company server is one of the most vulnerable pieces of a digital footprint. Therefore, cybersecurity professionals recommend using cloud storage and email solutions versus on-site solutions. You may wonder why data is at risk when it is on the move. The reason lies in IT expertise. Wherever data is stored and transmitted, dedicated staff must continually monitor for software updates, vulnerabilities and red flags that company data has been accessed by bad actors. Responding in the event of a cyber incident so that infected areas are contained and malware is prevented from spreading requires skill. Outsourcing IT expertise is one area that is generally more effective from a cost and skill standpoint.

There is a lot to consider when designing and implementing an appropriate cybersecurity plan. The Federal Communication Commission’s Small Biz Cyber Planner offers customizable cybersecurity plans that include details on these types of information and topical areas such as privacy and data security, securing mobile devices, credit card payment portals and more at fcc.gov/cyberplanner. This is a great starting point to understanding how to communicate needs and expectations to an IT professional.

A cybersecurity plan must also include an ongoing assessment of cyber hygiene and vulnerability risks. CISA offers a free cyber hygiene vulnerability service that can help. Learn more by visiting cisa.gov, then type “Cyber Hygiene Services” into the search bar.

Creating a Cyber Incidence Response Plan

Despite the best-laid plans, unfortunately, sometimes the unthinkable happens. Preparing for a cyber incident by putting procedures into place can limit potential damages. Businesses can do the hard work up front using the FCC Small Biz Cyber Planner and CISA’s Cyber Guidance for Small Businesses (cisa.gov/cyber-guidance-small-businesses) and then working with an IT professional to develop a plan unique to the business. The plan should be kept in writing, and should be reviewed and practiced often.

As part of the cyber incidence response plan, businesses can connect in advance with applicable law enforcement, including local and FBI representatives. CISA regional offices also provide protective security advisors, cybersecurity advisors, emergency communications division coordinators and others who help companies plan and respond to cyber incidents. It’s beneficial to document contact information for these helpful resources upfront and include it in the cyber response plan.

Next, roles and responsibilities should be assigned for the whos and hows of a cyber incidence response. An incident manager should be at the helm of response coordination to handle communication flow and delegate tasks to ensure pieces fall into place. A technical manager (TM) will be the subject matter expert who knows the whats and wheres of sensitive company data. The TM will also work with any outside technical experts to limit data exposure, address vulnerabilities and bring systems back online, including eradication of the unauthorized intrusion and software and data recovery with a clean reinstallation. The communications manager will be the public face of the incidence response, speaking with reporters, stakeholders and other interested parties.

Because responding to a cyber incident is stressful, as much work as possible should be performed ahead of time so the entire focus can be on identifying, stopping and correcting vulnerabilities. Following the incident resolution, the cyber incidence response team should review the response and improve procedures in case a similar incident happens in the future.

Experts Are Out There; Use Them

The resources provided here offer great starting points to learn about cybersecurity and to begin planning for protecting small businesses. By learning more about the complicated world of cybersecurity, business owners will be better able to work with IT professionals to ensure their businesses are understood and their security needs are met.

While these resources are not a substitute for a dedicated IT professional, they do provide the fundamentals of assessing vulnerabilities, designing robust cybersecurity plans and responding to a cyber incident. Together, these important safeguards will provide the best possible chance of staying ahead of the curve. Use these resources and others like them to create the most robust cybersecurity plan for your business.