Developing a Cybersecurity Plan for a Small Business

Benjamin Franklin and Winston Churchill are credited with saying, "those who fail to plan, plan to fail." That could not be more true than in the cybersecurity world, where failure to plan for the inevitable cyber attack is risky. In fact, employees of small businesses are three times more likely to be targeted than employees of larger companies. As a result, 61% of all SMBs have reported at least one cyberattack in the last year.  

Implementation of a cybersecurity plan can help reduce and mitigate attacks. So, what is a cybersecurity plan? What does it include? Who creates it? Who reads it? Here’s how to develop a cybersecurity plan that is right for your business.

Cybersecurity Myths

First, it’s important to dispel a few myths about cybersecurity:

Myth #1: If I buy the right products, I have cybersecurity. Simply buying a firewall and installing antivirus software on your computers is a reasonable first step, but it doesn’t provide all the protection you need. First, those products need to be installed and configured correctly, and then maintained over time if they are to do their job.

Myth #2: I’ve got a small company, so we’re not a target for cyber-criminals. This isn’t true either. In fact, small businesses suffer from more attacks than large businesses, simply because cyber-criminals view them as easier targets. 

Myth #3: If I get hit with a cybersecurity attack, my backups will protect me. Backups are certainly a good precaution, but they won’t protect you against many types of attacks such as phishing attacks and website attacks. Furthermore, some advanced strains of ransomware work quietly to encrypt your backups as well, rendering recovery much more difficult. 

Myth #4: My employees don’t have access to sensitive information, so I’m not worried about account compromise. Just because an employee’s account can’t get into your financial records, your business is still not secure from attacks. A determined hacker may find other ways to disrupt your business such as inserting bogus transactions to damage the integrity of your bookkeeping. They may even try to delete data if they can’t figure out how to access it.

Who in the organization should prepare a cybersecurity plan?

Preparation of your cybersecurity plan will likely fall on your IT team. However, many IT professionals do not have expertise in cybersecurity, which is much more than implementing a firewall and passwords. Instead, an external perspective can provide extremely valuable insight into a customized plan for your organization.

For example, creating a cybersecurity plan is often the first step for a vCISO. Such an individual will have experience with organizations of similar sizes, industries, and regions to ensure your plan is typical. They will also be able to provide valuable guidance on budgeting and prioritization of the plan to make sure you are spending resources wisely.

How is a cybersecurity plan built?

1. Where do you start? The first phase of the plan is to assess the current state of your organization and assets. You'll want to assemble detailed architecture documents of your infrastructure, including networks, servers, and endpoints. You'll also want a list of other assets to protect, including the types and locations of critical data.

Don't forget to include network services such as Active Directory, DNS, etc. You'll also need to understand your current business risk environment and business needs, so you can prioritize the information to protect.

Finally, you'll want to extend the assessment to include your supply chain and distribution partners. All of this information should be organized as a company-wide risk assessment. At this point, you should have a good idea of what you need to protect and your most significant risk areas.

2. Where do you want to be? Next, you need to plan what your future state will look like. You'll need to set goals appropriate to your organization and accepted levels of risk. Often this is done by describing the organization's cybersecurity maturity level. To do that, you'll need to identify how you'll manage individual risks, including controls for risk mitigation, risk offload (insurance), and risk acceptance.

It's also critical at this point to begin identifying ways to measure success. You will only know if controls are working and risk is reduced if you have a way to measure them. Finally, you'll want to review all this with your management and stakeholders and get their buy-in.

3. How will you organize your plan? Rather than starting from scratch, the best way is to select an existing industry standard framework/model and apply it to your current state. General models include the NIST 800 series, ISO-27001, and Mitre ATT&CK. There may also be compliance standards in your industry that can be included here, such as PCI-DSS and SOC2.
4. How do you get there? At this point, you'll begin noticing significant gaps between where you are and where you want to be. That's normal and good. Therefore, you'll want to develop a Plan of Action and Milestones (POAM).

• Prioritize projects that address the most urgent risks first: existential down to minor.
• Set a budget over time
• Consider temporary offloading/outsourcing of specific risks.
• Apply the plan to the supply chain and partners.
• Build official policies:
  • Data privacy policy – outlines how corporate data should be handled and secured properly
  • Data classification and protection policy – covers how the sensitive data belonging to customers, employees, suppliers and other third and fourth parties should be handled
  • Retention policy – details where data should be stored and for how long
  • Incident response plan – outlines in detail the steps that need to be taken in the event of a security incident

Maintaining the Cybersecurity Plan

Once the plan is implemented, it becomes an active living document that you will use in your day-to-day activities. It must be continuously maintained, regularly reviewed and updated as required for it to succeed. This includes:

• Measuring the plan’s current state against the plan’s original goals and mission
• Conducting internal audits and hiring outsourced penetration testing
• Reviewing and revising the plan on a regular schedule, preferably annually
• Developing response plans and running tabletop exercises
• Reviewing new business risks over time and adjusting the plan accordingly
• Reviewing business processes and procedures and setting up employee training programs
• Developing, defining, tracking and optimizing processes to keep in line with your business needs

Partner With Calance for Your Cybersecurity

The development and implementation of a cybersecurity plan can be a daunting task. Calance has professionals who can help small and midscale organizations develop a scaled, customized plan that meets the business requirements. Not only can a Calance vCISO help develop the plan, but can also provide your team with a way to address the inevitable gaps. For example, Calance provides IT DevOps support to implement the plan and Cybersecurity services to test and enhance the plan going forward.

To learn more about your options for cybersecurity and IT services, contact us today at www.calanceus.com.