Cyber Guidance for Small Businesses
A Different Kind of Cybersecurity Advice
Cyber incidents have surged among small businesses that often do not have the resources to defend against devastating attacks like ransomware. As a small business owner, you have likely come across security advice that is out of date or that does not help prevent the most common compromises. For example, odds are that you have heard advice to never shop online using a coffee shop’s wi-fi connection. While there was some truth to this fear a decade ago, that’s not how people and organizations are compromised today. The security landscape has changed, and our advice needs to evolve with it.
This advice is different.
Below, we offer an action plan informed by the way cyber-attacks actually happen. We break the tasks down by role, starting with the CEO. We then detail tasks for a Security Program Manager, and the Information Technology (IT) team. While following this advice is not a guarantee you will never have a security incident, it does lay the groundwork for building an effective security program.
Role of the CEO
Cybersecurity is about culture as much as it is about technology. Most organizations fall into the trap of thinking the IT team alone is responsible for security. As a result, they make common mistakes that increase the odds of a compromise. Culture cannot be delegated. CEOs play a critical role by performing the following tasks:
- Establish a culture of security. Make it a point to talk about cybersecurity to direct reports and to the entire organization. If you have regular email communications to staff, include updates on security program initiatives. When you set quarterly goals with your leadership team, include meaningful security objectives that are aligned with business goals. Security must be an “every day” activity, not an occasional one. For example, set goals to improve security of your data and accounts through the adoption of multi-factor authentication (MFA) (more on that below), the number of systems you have fully patched, and the number of systems that you backup.
- Select and support a “Security Program Manager.” This person doesn’t need to be a security expert or even an IT professional. The Security Program Manager ensures your organization implements all the key elements of a strong cybersecurity program. The manager should report on progress and roadblocks to you and other senior executives at least monthly, or more often in the beginning.
- Review and approve the Incident Response Plan (IRP). The Security Program Manager will create a written IRP for the leadership team to review. The IRP is your action plan before, during, and after a security incident. Give it the attention it deserves in “peace time,” and involve leaders from across the organization, not just the security and IT functions. There will be no time to digest and refine it during an incident.
PRO TIP: Invoke the IRP even when you suspect a false alarm. “Near misses” drive continuous improvements in the aviation industry, and the same can be true for your security program. Never let a near miss go to waste!
- Participate in tabletop exercise drills (TTXs). The Security Program Manager will host regular attack simulation exercises called tabletop exercises. These exercises will help you and your team build reflexes that you’ll need during an incident. Make sure your senior leaders attend and participate.
- Support the IT leaders. There are places where the support of the CEO is critical, especially where the security program needs the help of every staff member. Take ownership of certain efforts instead of asking IT to do so. For example, do not rely on the IT team to persuade busy staff that they must enable a second way to sign-in to their email by enabling MFA. Instead, make the MFA announcement to the staff yourself and keep track of the progress. Personally follow up with people who have not enabled MFA. Doing so creates a culture of security from the top.
A note on MFA: Multi-factor authentication (MFA) is a layered approach to securing your online accounts and the data they contain. It’s the idea that you need more than a password to keep your data and accounts safe. When you enable MFA for your online services (like email), you provide a combination of two or more authenticators to verify your identity before the service grants you access. Common forms of MFA are SMS text messages sent to your phone, 6-digit codes generated on a smartphone application, push notifications sent to your phone, and physical security keys.
Using MFA protects your account more than just using a username and password. Users who enable MFA are MUCH less likely to get hacked. Why? Because even if one factor (like your password) becomes compromised, unauthorized users will be unable to meet the second authentication requirement ultimately stopping them from gaining access to your accounts.
Role of the Security Program Manager
The Security Program Manager will need to drive the elements of the security program, inform the CEO of progress and roadblocks, and make recommendations. These are the Security Program Manager’s most important tasks:
- Training. All staff must be formally trained to understand the organization’s commitment to security, what tasks they need to perform (like enabling MFA, updating their software and avoiding clicking on suspicious links that could be phishing attacks), and how to escalate suspicious activity.
- Write and maintain the Incident Response Plan (IRP). The IRP will spell out what the organization needs to do before, during, and after an actual or potential security incident. It will include roles and responsibilities for all major activities, and an address book for use should the network be down during an incident. Get the CEO and other leaders to formally approve it. Review it quarterly, and after every security incident or “near miss”. Need to know where to start? Look to our Incident Response Plan Basics two-pager with advice on what to do before, during and after an incident. To request assistance or to share information about an incident that can help protect other potential victims, you can contact CISA at https://www.cisa.gov/report.
- Host quarterly tabletop exercises (TTXs). A TTX is a role-playing game where the organizer (possibly you!) presents a series of scenarios to the team to see how they would respond. A common scenario involves one employee discovering their laptop is blocked by ransomware. Symphonies and sports teams practice regularly, and your organization should, too. CISA has Cybersecurity Tabletop Exercise Tips to get you started.
- Ensure MFA compliance. Yep--MFA Again! The most important step an organization can make is to ensure that all staff use MFA to log into key systems, especially email. While this task is also listed under the IT section below, it is critical that multiple people review the MFA status on a regular basis.
In addition to the advice here, we urge you to look at the information and toolkits available from our Cyber Essentials series to continue to mature your program.
Role for the IT Lead
The top tasks for the IT lead and staff include the following:
- Ensure MFA is mandated using technical controls, not faith. Some organizations have instructed their users to enroll in MFA, but not all users complete that task. There are often MFA gaps for recently onboarded staff and for people who have migrated to a new phone. You’ll need to regularly look for non-compliant accounts and remediate. Verify, verify, verify MFA stats.
- Enable MFA for all system administrator accounts. System administrators are valuable targets for attackers. You might assume that they would reflexively enroll in MFA. Yet Microsoft reports that only 30% of Azure Active Directory global administrators use MFA. In many compromises, attackers were able to get a foothold on the system administrator’s account, and from there they had complete access to all the company’s assets.
- Patch. Many attacks succeed because the victims were running vulnerable software when a newer, safer, version was available. Keeping your systems patched is one of the most cost-effective practices to improve your security posture. Be sure to monitor CISA’s Known Exploited Vulnerabilities (KEV) Catalog, a list of the vulnerabilities we see attackers using in real attacks. Prioritize the vulnerabilities in the KEV. Also, where possible enable auto update mechanisms.
- Perform and test backups. Many organizations who have fallen victim to ransomware either had no backups or had incomplete/damaged backups. It’s not enough to schedule all important systems to have a regular backup. It’s critical to regularly test partial and full restores. You’ll have to pick a cadence for the backups (continuous, hourly, weekly, etc.). You’ll also want to write a plan for the restoration. Some organizations experiencing ransomware attacks found that the time to restore their data was significantly longer than expected, impacting their business.
- Remove administrator privileges from user laptops. A common attack vector is to trick users into running malicious software. The attacker’s job is made easy when users have administrator privileges. A user who lacks administrator privileges cannot install software, and this type of attack won’t work.
- Enable disk encryption for laptops. Modern smartphones encrypt their local storage, as do Chromebooks. Windows and Mac laptops, however, must be configured to encrypt their drives. Given how many laptops are lost or stolen each year, it’s important to ensure that your laptop fleet is protected.
There are, of course, many other IT tasks that add to a good security program. While this list is not exhaustive it does contain the top actions you can take that addresses the most common attacks.
Achieving the Highest Security Posture
When security experts give cybersecurity advice, they usually assume you are only willing to make small changes to your IT infrastructure. But what would you do if you could reshape your IT infrastructure? Some organizations have made more aggressive changes to their IT systems in order to reduce their “attack surface.” In some cases, they have been able to all but eliminate (YES, WE SAID ELIMINATE!) the possibility of falling victim to phishing attacks. Sound interesting? Keep reading!
On premises vs cloud
One major improvement you can make is to eliminate all services that are hosted in your offices. We call these services “on premises” or “on-prem” services. Examples of on-prem services are mail and file storage in your office space. These systems require a great deal of skill to secure. They also require time to patch, to monitor, and to respond to potential security events. Few small businesses have the time and expertise to keep them secure.
While it’s not possible to categorically state that “the cloud is more secure,” we have seen repeatedly that organizations of all sizes cannot continuously handle the security and time commitments of running on-prem mail and file storage services. The solution is to migrate those services to secure cloud versions, such as Google Workspace or Microsoft 365 for enterprise email. These services are built and maintained using world-class engineering and security talent at an attractive price point. We urge all businesses with on-prem systems to migrate to secure cloud-based alternatives as soon as possible.
While all operating system vendors work to continuously improve the security of their products, two stand out as being “secure by design,” specifically, Chromebooks and iOS devices like iPads.
Some organizations have migrated some or all their staff to use Chromebooks and iPads. As a result, they have removed a great deal of “attack surface,” which in turn makes it much harder for attackers to get a foothold. Even if an attacker were able to find a foothold on those systems as part of a ransomware attack, the data primarily lives in a secure cloud service, reducing the severity of the attack.
FIDO: The MFA gold standard
Any form of MFA is better than no MFA. Any form of MFA (like SMS text messages, or authenticator codes) will raise the cost of attack and will reduce your risk. Having said that, the only widely available phishing resistant authentication is called “FIDO authentication.” When an attacker eventually tricks you into trying to log into their fake site to compromise your account, the FIDO protocol will block the attempt. FIDO is built into the browsers and smartphones you already use. We urge you to learn how FIDO resists phishing attacks.
The combination of a cloud-hosted email service, secure-by-default devices, and FIDO authentication will dramatically raise the cost for attackers and will dramatically reduce your risk. It’s worth considering.
In addition to those highlighted above, here are some additional resources available, at no cost, to help improve your cybersecurity.
As part of the whole-of-government approach to combating ransomware, CISA created StopRansomware.gov, a one-stop-shop of free resources for organizations of any size to protect themselves from becoming a victim of ransomware. If you have experienced a ransomware attack, we strongly recommend using the following checklist from our Ransomware Guide.
Reach out to our Regional Team in your local area for tailored assistance. Aligned to specific areas, the regions provide a range of cyber and physical services to support the security and resilience of critical infrastructure owners and operators and state, local, tribal, and territorial partners.
Free Cybersecurity Tools and Resources
CISA offers a list of free cybersecurity tools and services that serves as a living repository of cybersecurity services provided by CISA, widely used open-source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community.
Cybersecurity Evaluation Tool (CSET)
The Cybersecurity Evaluation Tool (CSET) is an open-source self-assessment tool designed for stakeholders to install on their endpoint device. For those interested in using the tool or participating in CISA's open-source community, visit https://github.com/cisagov/cset. To download the file, click https://cset-download.inl.gov/.
Risk Management Considerations
For businesses and organizations considering using a Managed Service Provider (MSP) for your security services, review CISA’s guidance on important risk management considerations.
For businesses and organizations, considering using a Cloud Service Provider (CSP), review CISA’s guidance on cloud security.