Small and mid-sized businesses make up the majority of companies in this country and employ about 90 per cent of the workforce, yet many have valuable intellectual property, personal information on customers or direct direct computer links to large firms.
All three are valuable targets for criminals and unfriendly countries. Yet many SMBs still think they don’t have to worry.
SMBs include convenience stores, dry cleaners and gas stations and manufacturing plants, but also law firms, accountants, financial advisors, engineering consultants and architects.
This being Cyber Security Awareness Month in many countries it’s a good time to remind infosec pros who manage or advise owners of these firms of a valuable resource offered for them by Public Safety Canada. Called the Get Cyber Safe Guide for Small and Medium Businesses, it’s aimed at helping managers understand the cyber security risks their organizations face, and provide them with practical advice on how to better protect their business and employees from cyber crime.
If you don’t know where to start this 46-page PDF is a useful document.
There’s a section on employee awareness, which we’ll get to in a minute. But for the heads of these firms who aren’t sure where to start, try the 15-question self-assessment test.
Among other things it asks if cyber security a priority for the business, if it has cyber security plans and policies, a disaster recovery plan and some technical things, like if the firm uses encryption to secure data. Most answers are yes/no, with a point for yes and a zero for no. “If your score was 0-to-15 then you should consider reading this whole guide, as soon as you can,” it advises. “Then, consult with others in the business to begin planning and implementing cyber security in your business.”
The guide is divided into 11 chapters, covering management issues, Web security, point of sale security, email security, data security, remote access security, mobile and physical device security.
As for the awareness section, it includes this advice:
You should put at least one person in your business in charge of cyber security. This person would be responsible for the following:
- Learning about threats, trends and security options.
- Planning, acquiring and implementing security safeguards.
- Helping other personnel understand cyber security best practices and policies.
- Enforcing cyber security best practices and policies with management support.
- Maintaining and updating the security safeguards used by your business.
Even with a clear person or group in charge of cyber security, their success within a business of any size relies on management support. The support you provide will depend on the size of the business, but some of the things all managers are responsible for include the following:
- Providing guidance to all employees on the importance of cyber security as part of operations, including policies to outline accountability for cyber security.
- Supporting and monitoring cyber security projects.
- Consulting with experts, such as legal counsel, for any external obligations such as provincial or federal law.
At fewer that 50 pages the guide is not an exhaustive framework for cyber security. It is a good beginning. Infosec pros who want more in their arsenal should at least add the Center for Internet Security’s 20 security controls, which includes links to best practices.
For those who may find 20 controls unnecessary, the CIS has a shortened version of six prime controls for SMBs.