Small businesses are the backbone of the American economy. Small businesses represents 99+% of all employment in the U.S. and 44% of America’s Payroll. Small business are responsible for 64% of new jobs created!
This means small businesses maintain a vast amount of data on employees, business associates, and consumers. So what should small businesses do to enact good security hygiene?
This guide lists the top 5 things every small business could follow to help ensure a stronger security posture.
#1 – Take a cloud first approach. This probably rings true for most small businesses as you probably already have a Facebook account, Google, and others. However what about payroll, G/L, HR, inventory management, etc. In all but a few cases there is a cloud alternative. Cloud based solutions are run by experienced technicians with years of experience. By using cloud you’ll also have economies of scale which mean high availability and redundancy that would cost your business significant capital if you tried to build your own.
There are 3 primary cloud options (Hybrid, Public, Community). Hybrid clouds are a combination of on-premise private clouds in conjunction with a Public or Community Clouds. Public clouds is self explanatory as it’s available to the public. Community clouds are clouds developed by two or more private entities.
Clouds come in many forms and some of the biggest are IaaS (infrasturaction as a service), PaaS (platform as a service) and SaaS (software as a service). Each cloud has its pro’s and cons. For example SaaS will provide you application functionality and will take care of the entire technical stack and that leaves you responsible for user/role permissions, data access, etc. IaaS will allow you to run custom built applications in the cloud as the cloud provider is responsible for the hardware, networking, etc
#2 – Least Privelege / Separation of Duties. The least privilege concept is a practice not to grant access to a system(s) that provides the user with more information than is required to do the job. Separation of Duties means that anything that can have a major business impact should require at least two people before the task can be completed (like 2 signatures on a check). Most small business already practice these concepts even though its probably informal. By following these important concepts you not only make your business more secure but you’ll find that day to day operations will flow more smoothly as well. It’s important to remember that there is a fine balance between too much and too little. The latter can cause friction while the prior makes it easy to cause harm.
There are many case studies where privilege escalation has caused security incidents. The biggest is a major retailer being breached by HVAC technician whose lost credentials allowed an attacker to plant malware in POS systems (here).
#3 – Disaster Recovery. Security focus on 3 primary tenants (confidentiality, availability, and integrity). Most small businesses know how to plan for when there is inclement weather (take shelter), empoyee walks off the job, etc. But what about when there is a wide spread digital failure caused by such events. What happens if you followed #1 and there is a local internet outage (yours or provider).
Small business need to know how to operate in times of disaster. There should be well documented plans on who to call, what to do (revert to paper?), and ultimately how to recover. This should also be periodically tested to ensure they’ll work as planned. This will make your business more resilient.
#4 – Encrypt, Encrypt, Encrypt. This means everything from an employee’s laptop to your cloud providers. You also need to ensure you know how to decrypt (where are they keys/passwords stored).
The good news here is 2 fold. First most mobile devices encrypt the data themselves. The second is that encryption is fairly straightforward. If you need a certificate to encrypt traffic Let’sEncrypt / Certbot is a great choice. If you want to ensure your provider is encypting check using SSLLabs and ask for documentation / evidence.
#5 – Education – By educating your staff you’ll be able to thwart most cyber challenges. Does your accounts payable resource know what information they can give out over the phone (account numbers, balances, etc.)? Education is the single most important thing small business can do to innovate through security.