Back To Top

Cybersecurity for Small and Medium Businesses

Small and Medium Businesses (SMBs) are not immune from the onslaught cybersecurity attacks that continue making headlines. Our anecdotal observations indicate they may, in fact, be more impacted by cybersecurity attacks than large breaches that make headlines. However, no reporting requirements or information sharing standards provide an outlet for SMBs to communicate a breach, and the cybersecurity challenges of small businesses don’t often strike a salient amount of fear in the news cycle. Thus, SMBs suffer with cybersecurity risk without a suitable means of reporting or support.

What are SMBs to do? First, obvious as it sounds, doing something is better than doing nothing. For SMB leaders and small business owners, ignoring cybersecurity risk is the 2021 equivalent of never reading your financial statements or ignoring your tax reporting requirements. Eventually, the consequences of ignoring cyber risk ultimately harm your company and employees. That said, it can be overwhelming to address the risks when you don’t fully understand them.

Several cybersecurity and IT control frameworks are available to help identify and implement IT controls. The Center for Internet Security (CIS), a non-profit collective of security professionals, promulgates CIS Controls v8, a list of the top 18 controls that companies can use to implement a secure computing environment. We like CIS Controls v8 because of its simplicity and flexibility. Recognizing the importance of all 18 controls, but realizing cybersecurity maturity differs widely among businesses, each control includes a series of safeguards, or specific actions an enterprise can take to implement the control. The safeguards have been categorized into three Implementation Groups to help businesses apply security activities appropriate for their own size and complexity. Here are the first 5 controls an SMB can immediately implement to reduce their cybersecurity risk.

1: Inventory and Control of Enterprise Assets

If a threat actor is going to breach a system, they must target a specific logical or physical thing– a computer, server, software, or infrastructure device. The first two CIS controls require a company to maintain an accurate inventory of all their assets—both hardware and software. If you don’t know what assets you have, you won’t know what to protect. This task goes much further than checking your depreciation schedule which might list, “25 Dell Workstations”. The inventory should be specific, include make, model, serial numbers, and other identifiable information. It should include anything that has the ability to hold, pass or store data such as routers, firewalls, servers, web applications, workstations, hard drives, etc.

2: Inventory and Control of Software Assets

Similarly, an up-to-date software inventory allows a company to assess how up-to-date its software is or if any outdated or unused software resides on the network. It also helps to know the software on your systems when large scale breaches are made public. Is your company using SolarWinds? How about ManageEngine? If so, your software inventory should have reflected those applications and your company would have been better positioned to respond to the widespread security breaches of these two software providers.

3: Data Protection

It’s been said data is the new oil. Company’s collect enormous amounts of data about their customers. Data brokers and advertisers buy and sell it for marketing purposes, and if a company loses its data, their entire business could be in jeopardy. The first step to protecting data is knowing what data you have, where it’s kept, and creating a plan to protect it. Similar to hardware and software inventory, a company should maintain a data inventory which is periodically updated. Could the business owner or management team accurately identify which data is most critical to operating the business? Sensitive data is not just credit card numbers. How about non-business data that is still sensitive? Consider lists of suppliers; customer purchase or demographic data; employee information contained in the payroll and HRIS system; patents or operating manuals that give your company its competitive advantage.

4: Secure Configuration of Enterprise Assets and Software

It would be great if having a complete, accurate inventory of hardware and software assets were enough to ensure sufficient cybersecurity controls. Of course, it’s not. The best inventory list does not confirm the assets on the list are properly configured to reduce risk and protect data. To that end, consideration should be given to ensure hardware and software assets have been securely configured. Examples include procedures as simple as creating unique user accounts, disabling unnecessary generic accounts within a new software, or changing the default administrator passwords, all of which contribute to protecting a system and enhancing cybersecurity. Secure configuration also includes technical configurations like setting ‘deny-all’ rules on local firewalls, dropping traffic on all ports except those required for an application to operate, and disabling unused and insecure services like http and telnet.

5: Account Management

Have you ever taken a moment to consider how many different “identities” exist in your company? Most SMBs have several different systems, each with a different username and password combination (how many different passwords do you have?). A company with 50 employees and 5 different software applications might conservatively have 250 different identities to track.  Each identity (or user account) could be a possible attack vector to break into your company’s system. That is why establishing repeatable, effective, and measurable user account management practices are so important. Employees should use unique user accounts. Both administrator and regular user accounts should be tracked and managed. Especially when an employee leaves the company or changes positions, procedures should be in place to communicate those changes to the IT staff quickly and accurately so they can make the necessary changes.

Small and Medium Businesses are not exempt from cybersecurity attacks. The CIS Controls v8 is an excellent launch point for designing and implementing a more robust cybersecurity environment. Taking steps now to ensure the safety of your company is imperative—equally as important as budgeting, tax planning, and other normal business operations. If you are looking for more information on how to keep your company’s data safe, please contact us. (The full list of CIS Controls v8 is available here.)

About the Author

Bryan Newlin, CPA, CITP, CISA

Bryan began his career with YHB in 2005, and has been a key leader in YHB’s respected Risk Advisory Services practice since 2007. Focusing attention on two of the most well-known technology internal control frameworks –the AICPA’s Trust Services Categories and ISACA’s COBIT® framework —Bryan works across industries to help clients identify and mitigate information & technology risk.

Bryan leads the Firm’s SOC Examination Practice with specialty niches in business process outsourcing companies, contact centers, media and communications companies, and cloud-native applications.