Businesses with less than 1,000 employees (sometimes referred to as small or medium businesses or “SMBs”) are becoming concerned about cybersecurity. Not only is there an increasing amount of cybersecurity threats, but government regulations require SMBs in certain areas such as healthcare, finance, and defense to meet certain cybersecurity standards and practices.
According to Gartner’s Information Technology Glossary, cybersecurity (spelled as one word) refers to the systems, technologies, processes, governing policies, and human activity that an organization uses to safeguard its digital assets. The definition goes on to state that “cybersecurity is optimized to levels that business leaders define, balancing the resources required with usability/manageability and the amount of risk offset.” Many SMBs are doing this balancing.
According to Tim Matthews, writing for the website Cybersecurity Insiders, the first computer virus was created in 1971. It was called the Creeper Virus, and only displayed messages. The security protocol that allows people to purchase items online securely was made possible by the Secure Sockets Layer (SSL) internet protocol. Netscape began developing the SSL protocol not long after the National Center for Supercomputing Applications released the first web browser. In February 1995, Netscape released SSL 2.0, which became the core of the language for securely using the web, called HyperText Transfer Protocol Secure (the HTTPS in a website address).
What is the appropriate reaction to all this from a less than enterprise-level business? SMBs will be making decisions about how much of cybersecurity will be done in-house or by contract doing the balancing act between resources and risk. There are various extensive and expensive remedies available, but for those in less than crisis mode, there is an appropriate desire to take the time to find a value solution.
While developing a strategy about security solutions, there are cybersecurity measures that any business can implement immediately. Staying secure is not only about having up-to-date security solutions. Most cybersecurity attacks come from activity involving users on the business network. Much of the defense of business network attacks consists of establishing secure IT practices involving employee use of business networks. While planning for cybersecurity upgrades and certifications, make sure that the current discipline is in place to support secure IT practices. This will be necessary no matter what your ultimate strategic decisions are about cybersecurity.
The following are practices that should be a part of employee discipline involving the use of business networks:
- Separate personal use from business use so that the business network devices are used only for business activity. Personal email use and non-business-approved software should not be on business devices.
- Installed software on business devices should be updated and upgraded (patched) as often as updates and patches are available.
- Users should enable the viewing of file extensions and look for unusual file types.
- Users should not open email attachments from unknown senders. Software or browser security should not be set to auto-execute files that contain macros (a common example of files that can contain macros are Excel files).
- When browsing the internet, links to unknown destinations should not be clicked.
- Make sure network users do not all have admin rights. Sometimes this is done for convenience, but make sure users are not logged in as administrators unless that is necessary for the immediate work being done.
- Enforce strong passwords, and do not save passwords in an unencrypted state. The use of a password manager should be strongly recommended. Most of the major browsers with password managers use some form of encryption, but many security experts recommend using a stand-alone password manager with a higher level of encryption.
- Make sure that all devices are set to backup regularly to encrypted storage. Keep a backup copy in gap storage (not connected to the internet).
- Implement a disaster recovery plan. Make sure the recovery plan works in a practical sense by doing a practice recovery – this can be done without interrupting ongoing operations.
- Appoint those in various groups who are more technically accomplished to review the status of devices in their groups and to help other users come into compliance with the cybersecurity policy.
There are a variety of choices of cybersecurity strategies, and many will be mandated by the way you must conduct your business and communicate. Regardless of the significant effort and expense that may be required, whatever is done to accomplish a level of cybersecurity protection will require the user discipline that any business can implement immediately. Having a disciplined user procedure enforcing cybersecurity in place will make the implementation of more sophisticated methods of protection and obtaining required certifications easier and more efficient.