
Effective Cybersecurity Strategy for a Small Business [We Asked 45 Experts] - secureblitz
https://secureblitz.com/effective-cybersecurity-strategy-for-a-small-business/
======
cjcampbell
While there are some positive nuggets in here, I would not recommend the sum
product to any of my small business clients. I want to be clear that I don’t
say this lightly. In terms of cyber-security guidance, small businesses are
severely underserved. As such, I generally welcome any contribution or effort
to contribute relevant content. With that in mind, I thought I’d offer a few
pointers for those who want to do so.

Keep guidance actionable and be aware that small businesses are often
operating with a low degree of technical sophistication. While it may seem
reasonable to point to NIST guidelines including the CSF, be aware that your
audience might not even have the groundwork to examine the problem at this
level of abstraction. It might seem like a tip like “do backup” satisfies my
criteria, but I’d argue that it’s still not actionable for the small business
who does not fully understand the lifecycle of data in their own organization.

Shine a light the threat landscape before reaching for easy fixes. In my
experience, small business leaders are particularly susceptible to snake oil
and silver bullets. They’re quick to deal with isolated symptoms rather than
the root cause of their ailments. Before you offer a suggestion, ask yourself
whether it might be misconstrued as a quick fix. A better first step is often
to put the primary threat and vulnerabilities into terms that are meaningful
to the business.

Don’t forget about the humans, and I mean both the leaders who may try to
enact these solutions as well as employees. What will they do when they
encounter friction with your guidance?

If you’ve been in the industry for awhile, it’s likely time to read up on
topics like usable security and the new NIST password guidance. While there
are still use cases for 60-90 day password rotation, it does not belong at the
forefront of a small business password policy, where it very well may be
weakening the company’s security posture.

I’d say that with an audience that has limited resources to confront the
challenges, we need to consistently focus on incorporating basic security
hygiene into everyday business processes. I don’t see much value in a solution
like Li-Fi networking for a business that hasn’t found a way to keep servers
and end-user systems patched, meaningfully improve their employees password
practices, attempted to write an actionable security plan, or even taken the
time to discover and document their own legal and regulatory obligations.

Lastly, since I touched on it a couple times earlier, please be aware that
many (maybe most) small businesses will get lost in the process of creating
any sort of formal security policy or implementation plan. I can’t tell you
how many times I’ve read a security policy that had no grounding in reality. I
do encounter quite a few guides that were downloaded as free resources or
handed off by a well-meaning MSP. Sometimes a business owner has succeeded in
filling in the blank spaces meant for their business name, but they’re more
likely to have left it blank or filled out with wrong information.

