What is a small business, and what should it do about cybersecurity?

This is the first of a series of planned posts designed to help the owner(s) of a small business make decisions on what to do about cybersecurity in their business. While I have been supporting the IT needs of small businesses as a profession for the last 25 years, I have noticed that security professionals really have no appreciation of the business realities of running a small business and what a reasonable budget for cybersecurity would be for that business. But first, I need to define what I mean when I am talking about a “small business”.  

There are a number of definitions of what a small business is. The US Small Business Administration (SBA) defines a small business in a number of different ways depending on the type of business. The metrics used by the SBA are based on revenue, typically in the millions of dollars, or the number of employees, typically in the hundreds. In the IT business, the typical measurement is in the number of seats, or better put, the number of people using computers in the organization.  When you talk to IT vendors, especially in the security field, they talk about the target small business being 50 seats or more.

For the basis of this series of posts, we will be looking at organizations having between 2 and 50 seats.  We are not looking at storefront businesses because these are unique unto their own. We would be looking at professional offices (lawyers, medical, accountants, building trades), small manufacturing, manufacturing representatives, not-for-profit organizations and other small office environments.

Not every post that I will be writing about will fit every business. The thought behind this blog is to give small business owners an idea of what might suit their organization. It is not expected that the owner would be familiar with the terminology of simple IT, let alone cybersecurity. In writing these posts, I am going to try to keep the language as non-technical as possible. Unfortunately, there are times when techno-speak is required, like in the next section of this post.There are many frameworks or guidelines for how or what you should do to secure your business.  If you like reading government guidelines or are a US government agency/contractor, the National Institute of Standards and Technology has a couple of publications you should read. The first, NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, as of this writing in its fifth revision, according to the document, these guidelines are:

Mandatory for federal information systems in accordance with the Office of Management and Budget (OMB) Circular A-130 and the provisions of the Federal Information Security Modernization Act, which requires the implementation of minimum controls to protect federal information and information systems10 in accordance with Office of Management and Budget (OMB) Circular A-130.

The second publication, NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, as of this writing in its second revision. “provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations.”

Between these two publications, there are over 700 pages of detailed discussions, directions and tables of what should be done to secure your computer systems. But, I suspect that you, as the owner/operator of a small business, don’t have the time and possibly the expertise to properly understand and implement these guidelines. I will be attempting to put some of the recommendations in these documents in simple, understandable language.

There are other frameworks that are available on the Internet. Microsoft alone has dozens of pages on what should be done to secure a business’ IT environment. But there is an organization that has put together a recognized set of controls and benchmarks that incorporates many of the established standards and regulatory frameworks such as the ones mentioned above as well as the ISO 27000 series, PCI DSS HIPPA and others. 

The Center for Internet Security is a nonprofit organization whose mission is to “identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.” For the last 20 years, this organization has worked on developing their benchmarks to help others establish the “most effective and usable security configurations”, according to their blog. The CIS Controls™ and CIS Benchmarks™ are freely available (upon registration) at their website https://www.cisecurity.org/cybersecurity-best-practices/

I will be basing a lot of these series of posts on the information provided by CIS. If you are looking at a short 15 page guide with a number of free to low cost tools to secure your environment,  take a look at  the CIS Controls Implementation Guide for Small- and Medium-Sized Enterprises (SMEs).  

The following posts in this series will add my experiences in my over 45 years of working in the interactive computing field, including my 25 years of supporting small businesses to the information that CIS has put together.