Appendix: Cybersecurity For The Small and Medium Size Business
Effectively managing and addressing cyber-security threats and the consequent risks is always a matter of resources—both the availability of resources and how businesses utilize the resources available to them. Unfortunately, the availability of effective resources often boils down to money.
More money can often mean more resources. Money can obtain a highly skilled work-force to effectively manage cybersecurity threats. Money can purchase the services of a 3rd party vendor to assist the business in defending against cyber-security threats, and money can buy sophisticated hardware and software to aid in the cyber-security fight. And big business often has more money than a smaller business.
However, while it may be true that you often get what you pay for, when it comes to resources to mitigate the threats and risks that result from cyber-security attacks, SMBs can get a lot of bang for their buck if managed appropriately and may even find that some of the most effective resources are free.
“Anything that just costs money is cheap.” – John Steinbeck
The truth is that having the money to buy these identified resources is not the most effective defense against cyber-security threats. The most effective defense is appropriately implementing all the resources which are currently available to your business. So, let’s find the value in what we have, not in what we can purchase.
“Nowadays people know the price of everything and the value of nothing.” – Oscar Wilde
What can the SMB do to combat cyber-security threats with limited money and current personnel?
CYBER-SECURITY ASSESSMENT RESOURCES
Several free tools are available to assess your overall cybersecurity readiness.
- FFIEC Cyber Assessment Tool
- Greater Houston Partnership
- US-CERT—United States Computer Emergency Readiness Team
- Federal Cybersecurity Programs: A Resource Guide
INFRASTRUCTURE ASSESSMENT RESOURCES
If you have not previously conducted an Infrastructure Risk Assessment, knowing where to begin can be a daunting task in and of itself. These articles and tools identify the basics:
- SANS Institute—IT Infrastructure Security-Step-by-Step
- IT Weapons—Best Practices, Tips and Tricks
- Info-Tech—Infrastructure Capacity Assessment Tool
- IBM—IT Infrastructure Assessment
THREAT AND RISK ASSESSMENT RESOURCES
Numerous resources exist to assist in developing a threat and risk assessment for your company and to assist in further understanding the basics of the need for and methodology of conducting a threat assessment.
- Canadian Office of the Superintendent of Financial Institutions—Cyber Security Self-Assessment Guidance
- SANS Institute—An Overview of Threat and Risk Assessment
- MITRE—Cyber Threat Susceptibility Assessment
- GT Magazine—5 Steps to Cyber-Security Risk Assessment
CONTROL IMPLEMENTATION RESOURCES
Information Security Policies
- Information Security Policy
- Acceptable Encryption Policy
- Vendor Management Program
Information Security Organizations
Federal Regulatory Agencies
- FDIC-A Cybersecurity Guide For Businesses
- FCC-Cybersecurity for Small Business
- Federal Reserve
- FFIEC-Promotes Awareness of Cybersecurity Activities
- FTC-Data Security
- NCUA-Cyber Security Resources
State Regulatory Agencies
- New York State Cybersecurity Requirements for Financial Services Companies
- Massachusetts Cyber Security
- Top 10 Cybersecurity Companies
- Cybersecurity Ventures Top 50 Security Companies to Watch2
- Cybersecurity Solutions-2017
- 13 Security Solutions for Small Business
1“5 Things You Need to Know About Cybersecurity Insurance.” Lucian Constantin, 4/25, 2014.
2“Cybersecurity Ventures Top 50 Security Companies to Watch.” Sue Marquetta Poremba, 3/13/2017.