“Plans are worthless, but planning is everything.” When President Dwight D. Eisenhower said this in 1957, he certainly wasn’t referring to an Information Security (InfoSec) program. The principle, however, is applicable to preparing your small business to contend with modern hacking groups. Assessing your organization’s cybersecurity posture, identifying its vulnerabilities, and formulating a plan to defend your digital assets are often-overlooked necessities for small businesses.
Some small-business owners believe that their size renders them invisible to malicious actors. Unfortunately, recent cybercrime statistics suggest that small businesses are in fact easy, often-exploited targets. According to Verizon’s 2021 Data Breach Investigations Report, small businesses accounted for about 46% of all breaches tracked by the communications company. External actors launched 57% of these attacks, and 93% of malicious actors had financial motives.
While creating a robust InfoSec program may seem intimidating and expensive, the truth is that it doesn’t have to be. Based on my observations as a penetration tester, the most difficult businesses to compromise are not those with multi-million-dollar security budgets, but those that have a solid understanding of their own risks and systematic processes for mitigating them. While the former can require a robust staff and suite of tooling, the latter simply requires planning and consistent due diligence.
To begin planning and maintaining an InfoSec program for your small business, focus on these five areas:
Understand your environment
To determine where you’re going, you must first determine where you are. In InfoSec, determining where you are translates to mapping your InfoSec environment. Only after you’ve mapped your InfoSec environment should you begin making extensive InfoSec plans.
First, let’s define InfoSec ‘environment.’ Your InfoSec environment is your network and attack surface and how both relate to your current and future business objectives. Understanding your environment is critical because business environments are always changing.
For example, five years ago, you might have used on-premises servers. Now, you’re in the cloud, with a hybrid workforce, and federating all your authentication needs through a third party like Okta or Duo. Each change that is made to your environment inherently changes the organization's risk posture, hopefully for the better, but not always.
Once you understand your current InfoSec environment, you must also understand where it’s going. For example, are you planning to add another location? Expanding your workforce? Shifting to a hybrid work arrangement? The good news is that none of these changes happen overnight. As you’re charting your business trajectory, include InfoSec in your planning. The key is ensuring that your approach to InfoSec is proactive and preventative rather than reactive. Gathering the operations, IT, and security teams together to brainstorm future initiatives now may save you from exercising your disaster recovery plan later. (You’ve got a disaster recovery plan, right?)
Understand your attack surface
Once you understand your InfoSec environment, you can begin to get granular about mapping your attack surface. Your attack surface constitutes every way a malicious actor could breach your company. It includes every web server that a malicious actor could access on the internet as well as individual devices, such as laptops, tablets, and phones. To put it simply, if it’s part of your network or a service that your organization uses, then it’s part of your attack surface.
If your small business uses a managed service provider, your provider should be able to supply a comprehensive list of servers and devices easily. However, it is easy to overestimate one’s familiarity with the true attack surface, especially if it is a complex environment that has not recently had a penetration test.
For example, if your business has security cameras, can they be accessed from an external IP address by any internet user? Is your HVAC system accessible from the open internet, and when was the last time it was patched? Do you have smart thermostats or TVs that aren’t protected within your network? Do any of these devices retain their default credentials, which a malicious actor could simply Google?
Creating a comprehensive map of your attack surface provides valuable insights as to how a malicious actor could gain a foothold in your IT architecture and begin moving from device to device within your network. This is where a defense in depth approach becomes critical. Defense in depth includes endpoint security, like antivirus software, patch management tools that keep your systems and applications up to date, network security controls, such as VPNs, systems that detect intrusions by malicious actors, and access management solutions, such as multi-factor authentication and impossible travel alerts.
However, no matter how security-hardened your external perimeter is, a malicious actor eventually will find a way in. At that point, it becomes essential from an incident response standpoint to be intimately familiar with the internal attack surface to ensure the threat is detected, contained, and mitigated.
Set clear and concise policies
Every business, regardless of size, needs a Written Information Security Program (WISP). In fact, businesses operating in certain industries, such as healthcare, are legally required to have WISPs. While your WISP does not need to be long and complex, it should at a minimum outline:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
If your business does not have a WISP, basing one off the Center of Internet Safety (CIS) Critical Security Controls Version 8 is a good place to start. CISv8 is a practical, prioritized set of safeguards to get you started.
CIS also provides a policy guide that includes WISP templates. While templates offer sound starting points, they often contain a lot of boilerplate language and irrelevant information. Cut out anything that doesn’t apply to your small business; otherwise, you may end up with a monstrous document that no one reads.
Finally, policies and procedures in your WISP should reflect your small business as it's currently configured – not future initiatives and features. Update your WISP once you’ve rolled out new business elements.
Define and test a disaster recovery plan
What steps will your small business take to recover from an attack? These steps constitute your Disaster Recovery Plan (DRP).
DRPs are only useful if they evolve with your small business. Any time your InfoSec environment and/or attack surface changes, revisit your DRP. Conduct tabletop exercises to simulate attacks on valuable company assets. For example: Your head of marketing falls victim to a spear-phishing attack, which compromises your client list. During the tabletop exercise, your team reviews hypothetical responses while others challenge those responses. The exercise may go something like this:
CEO: Sally from marketing’s email was compromised. What’s the impact?
Analyst 1: She has a master list of all our clients. The malicious actor could socially engineer the clients by sending an email as Sally.
CEO: How do we stop this?
Analyst 1: We lock down her email account.
Analyst 2: How about we create a fake email account, replicate this attack, see what the malicious actor could obtain, and see if locking down her email account addresses the issue?
The goal of these exercises is to reach a point where your DRP breaks down. Once you identify the point of failure, update your DRP to eliminate it. To get started, CIS has a great white paper laying out six scenarios for these types of exercises. And the best part is, that they’re all mapped to the applicable CIS controls to help refine your WISP.
Set quarterly and annual reviews and objectives
The point of creating quarterly and annual reviews along with objectives is to mature your InfoSec program. If your InfoSec posture constantly lags the growth of your small business, you’re constantly vulnerable. The antithesis is to establish your InfoSec baseline by following the tips mentioned in this post, forecasting your growth, creating a plan to co-evolve your InfoSec posture, then repeating the process by establishing a new baseline.
Create quarterly, annual, three-year, and five-year goals for your InfoSec posture that reflect where your small business is headed. Your progression toward those objectives can include smaller milestones, such as cybersecurity awareness training for your employees, running phishing and social engineering testing, or even simply preparing a short presentation on common InfoSec threats in your industry. KnowBe4 is also a great training resource. A little time spent on Google, IBM X-Force Exchange, or VirusTotal will reveal threats specific to your industry and business size.
This type of research and employee education is free, except for the cost of time and planning. The key is to emphasize continuous refinement, continuous improvement, and continuous re-evaluation. Complacency kills.
Moving forward with a plan
Small businesses are not immune to malicious actors. Fortunately, they are agile enough to implement these simple, low- or no-cost tips, which can form the basis of your InfoSec plan. Planning does not need to be complicated, time-consuming, or expensive. However, it does require a commitment to setting goals, monitoring progress, and updating your InfoSec plans and priorities as your small business grows.
This work is as essential to the health and sustainability of your small business as paying your bills and balancing your books. And while it’s true that no plan survives first contact, having no plan at all jeopardizes your small business’ chances of surviving first contact. And believe us: If it hasn’t happened yet, contact is coming.