Does My Business Need A Cybersecurity Plan? 4 Things You Must Do
I see it all the time. A business gets hacked and comes to an IT provider for a solution. Unfortunately, once a breach occurs, the only solution is remediation. The best advice I can give any business is to put a cybersecurity plan in place before an incident happens.
No matter the size of your business, a dynamic cybersecurity plan is essential. Bigger organizations may need a more complex plan, while smaller organizations can get away with a simpler plan, but every business needs a living cybersecurity plan that changes in response to current threats.
As manager of information security and compliance at Kelser, I’ve helped customers recover from breaches and I’ve also helped them craft cybersecurity plans that reflect the specific needs of their business.
In this article, I’ll explain why even low-risk, small businesses need a comprehensive cybersecurity plan.
After reading this article, you’ll know exactly why a cybersecurity plan is important no matter the size of the business.
What Is A Cybersecurity Plan?
Just to make sure we are all operating from the same basic understanding, let’s define what a cybersecurity plan is.
A cybersecurity plan is a proactive and living document that identifies risks, protections, and mitigation strategies.
Pay particular attention to the proactive part of that statement. While the plan can include information about what to do once a breach occurs, it is imperative to take a strategic look at the risks your organization faces and put appropriate safety mechanisms in place to protect sensitive information before a breach.
I also call it a living document because it’s one that should evolve as both your business and the overall threat landscape evolve. Your risks will likely change as your company grows or shrinks, and your cybersecurity plan needs to change to fit those changes to your risk profile. I cannot emphasize enough how cybersecurity is never a “set it and forget it” practice but instead requires frequent care and attention to be effective.
Why Is A Cybersecurity Plan Important For Small Businesses?
Cybersecurity threats are on the rise. We’ve all seen the big attacks that have made the national news, but the reality is that businesses large and small are impacted every day.
This trend is confirmed in the FBI’s 2021 Internet Crime Report. According to the report, the agency’s Internet Crime Complaint Center received a record number of complaints (847,376) from the American public in 2021, a seven percent increase from 2020, with potential losses exceeding $6.9 billion. Ransomware, business e-mail compromise (BEC) schemes, and the criminal use of cryptocurrency were among the top incidents reported.
In fact, an article published in Inc. reports that “more than 30 percent of U.S. small businesses have weak points that bad actors can exploit. Moreover, fraudsters tend to set their sights on small businesses since smaller companies usually have weaker security safeguards in place compared with those at larger companies.”
4 Things You Must Do When Developing A Small Business Cybersecurity Plan
So, now that you know why a cybersecurity plan is important for small businesses, what do you need to consider?
1. Identify The Information That Needs Protecting
Whether it’s the recipe for your world-famous cinnamon rolls or the design of a classified piece of military equipment (or something in between), every organization has information that, if publicized, would cause financial, reputational, or other damage to the organization.
Identify the key pieces of information for your organization and prioritize their importance: what needs the most protection, what needs the least, and what falls in the middle?
2. Determine The Level Of Protection Required For Each Kind Of Information
In the same way that you wouldn’t lock down individual appliances in your home, but you might put parental controls on your child’s electronic devices (or restrict use after certain hours), you don’t want to lock everything down to the same extent.
The design specifications for a piece of military equipment need strong protection. But maybe the all-employee communications about your company’s charity event aren’t as sensitive.
Locking everything down to the same level will impact productivity and cost. As I often like to say, you wouldn’t spend $1,000 to protect a $10 computer mouse. Use appropriate layers of security that reflect the risk.
One of the best ways to protect your information is to limit who has access to sensitive information. While larger businesses often make users sign their life away to gain access to different levels of information, smaller businesses may have a more relaxed approach.
In fact, it’s common to have most (if not all) information available to everyone in a small organization. But, does your manufacturing engineer need access to payroll information? Should your human resources officer be able to access your manufacturing equipment?
Understand who has access to which things and develop ways to limit access to an “as needed” basis for a small group of people.
3. Develop An Implementation Plan
Think strategically about the different levels of protection you will put in place. Make sure they are strong enough to protect information appropriately without hindering daily access for those who need it. Whenever there is a question, err on the side of security, but be mindful of the potential impact for users. The best security solutions are both effective and transparent to users.
Remember that there usually isn’t just one correct answer or implementation. For some things, a firewall may be enough protection. For others, it won’t.
Here are some other things to think about:
- How does your implementation ensure that your most critical information is fully protected?
- What will the implementation timeline and costs be?
- What are the intermediate steps that will be necessary?
- How will you know that your protection system is effective?
- How often will you reassess your protections?
4. Execute and Maintain
Now that you have an implementation plan, go execute it!
But remember, just because that’s done doesn’t mean you are too. If you don’t have a security champion within your company, you likely aren’t maintaining effective security. What happens then?
Maybe sensitive information is left lying around in public places within your company because no one is reinforcing the message that it needs to be kept out of view when not in use.
Maybe passwords end up being shared out of convenience.
Maybe new equipment starts to appear on your network because the importance of avoiding shadow IT practices isn’t effectively communicated often enough.
Everyone in your organization is likely trustworthy, but why take the chance with your sensitive information and equipment when lax security efforts could make you a victim of sabotage?
What Must Your Cybersecurity Plan Include?
Your business needs will dictate some of the specifics of your cybersecurity plan, but there are elements that every plan must have:
Make sure you understand what your contracts require.
What do you need to include in your plan to be compliant with your contract requirements? Do your contracts require NIST compliance? ISO 9001 certification?
Do you process credit card information? Do you store credit card information? The requirements for each of these will be different.
Do you have access to personal information or health information? What does that mean in terms of your compliance requirements?
Read your contracts and understand the requirements. If you don’t understand them, ask the questions. The requirements provide key information that will form the framework of your plan.
Get your business aligned with your highest security items. What is your highest priority information? (Do you handle proprietary information? Do you work with secure or controlled information?)
Control access to your critical information and processes. While not everyone has bad intentions, it’s important to mitigate the risks that are inherent to your ability to do business.
4. Incident Response
How will you respond to an incident? Do you need to notify customers? Regulatory authorities? What information will you provide? How soon must you provide it? What should users do or do not do?
In the same way as some first aid responses, the immediate action required may be counterintuitive.
With first aid, if you suspect a neck or spine injury, the guidance is to not move the victim. With cybersecurity incidents, most people are primed to reboot their computer when it doesn’t work. In some cases, that can be the worst response because it can destroy evidence or do more harm than good.
Make sure your plan spells out what the response should be and that all users are trained well on their roles in that response.
5. User Expectations
Outline the expectations for your users. What is the acceptable use of company devices? What is unauthorized use? There are grey areas that vary from one company to the next.
For example, 98 percent of companies will say no gaming on company computers, but if you are a game manufacturer, you fall into the two percent and that policy likely won’t apply to your users.
With the majority of users working remotely, is it okay for people to use a company computer for occasional web browsing or shopping, or email? Define the grey areas!
Setting the rules of the road helps ensure that everyone knows what’s expected and aligns your organizational requirements with perceived threats.
The higher your organization's threat profile, the more important it is to lock down the grey areas. Put your expectations in writing.
What’s The Next Step In Creating A Cybersecurity Plan?
Now you know why it’s important for every business to have a cybersecurity plan. Cybersecurity threats are a real and growing danger for businesses large and small.
We’ve talked about:
- identifying information that needs protecting
- determining the kind of protection the information needs
- developing an implementation plan
- executing and maintaining
After reading this article, you also know the important elements that every cybersecurity plan must have:
- incident response
- user expectations
From here, the next best steps are to make sure you understand your compliance requirements and to start working to identify the sensitive information within your organization.
There are free resources online that can serve as a framework for your cybersecurity plan or you can hire an outside organization to come in and assess your risk and help you develop a plan that addresses your specific need.
At Kelser, we help keep customers keep their infrastructure safe, available, and efficient by providing managed IT services that include cybersecurity solutions. Whether you work with Kelser or not, we hope you'll take the steps outlined in this article to develop a cybersecurity plan that works for your organization.
We believe in honesty and transparency, which drives us to provide articles like these that feature the information you need to keep your infrastructure operating optimally.
We understand that managed services aren’t right for every organization. Having said that we are confident that our comprehensive solution provides the IT solution many businesses seek. Read this article to find out more: How Much Does Managed IT Cost? What’s Usually Included?