Full Report
Jordan Drysdale// Blurb: A few of us have discussed the stress that small and medium business proprietors and operators feel these days. We want to help stress you out even […] The post Small and Medium Business Security Strategies: Part 1 appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Foundational Cybersecurity for Small to Medium Businesses (SMBs)
## Overview
These practices address the foundational security needs for small and medium businesses (SMBs) that often lack dedicated IT security staff. The focus is on implementing the first five critical security controls recommended by leading security organizations to establish a basic, defensible posture against common threats.
## Key Recommendations
### Immediate Actions
1. **Start the Security Conversation:** Initiate and maintain regular discussions with all staff regarding Information Security, emphasizing that security is a shared responsibility.
2. **Identify an Internal Guide:** Designate an internal resource (the individual knowledgeable about computers, printers, etc.) to act as the initial guide and point person for coordinating security improvements.
### Short-term Improvements (1-3 months)
1. **Establish Hardware Inventory:** Create and maintain a comprehensive list of all network gear and end-user systems (e.g., servers, workstations, mobile devices). Documenting where these assets are located and who is responsible for them is crucial.
2. **Establish Software Inventory:** Create and maintain a detailed inventory of all software deployed across the organization's assets.
3. **Address Secure Configurations:** Begin the process of defining and applying **Secure Configurations** across all systems. (Note: This is identified as potentially the most difficult step and will require focused attention in the next phase.)
### Long-term Strategy (3+ months)
1. **Implement Vulnerability Management:** Establish a process for **Vulnerability Assessment and Remediation.** This involves regularly scanning systems for known weaknesses and prioritizing the patching and fixing of identified vulnerabilities.
2. **Restrict Administrative Privilege:** Define and enforce the principle of **Limiting Admin Privilege.** Ensure employees only possess the minimum system access rights necessary to perform their daily job functions (Principle of Least Privilege).
## Implementation Guidance
### For Small Organizations
* **Leverage Internal Expertise:** Rely heavily on the designated internal computer-savvy person to lead the initial inventory efforts (Hardware and Software) as they are the most accessible asset.
* **Focus on the Basics:** Prioritize achieving visibility through accurate inventory lists (Controls 1 & 2) before tackling complex items like Secure Configurations.
### For Medium Organizations
* **Formalize Roles & Responsibilities:** While resources may still be limited, begin mapping the responsibilities for maintaining inventories and executing security tasks to specific individuals or IT roles.
* **Pilot Configuration Hardening:** Select one non-critical system or network segment to pilot the application of defined Secure Configurations to understand the process before a full rollout.
### For Large Enterprises
* **Integrate with Existing Frameworks:** Use inventory data (Controls 1 & 2) as inputs for existing IT Service Management (ITSM) or Configuration Management Database (CMDB) processes.
* **Automate Privilege Management:** Invest in tools to automate the identification, auditing, and enforcement of Limited Admin Privilege rather than relying solely on manual processes.
## Configuration Examples
*Configuration details for "Secure Configurations" and "Limited Admin Privilege" were not explicitly provided in the article text. These steps require further research based on established frameworks (e.g., CIS Benchmarks).*
## Compliance Alignment
The recommendations strongly align with the initial controls established by the **Center for Internet Security (CIS) Critical Security Controls (CSC)**, specifically the first five controls:
* **CIS Control 1:** Inventory and Control of Enterprise Assets (Corresponds to Hardware Inventory)
* **CIS Control 2:** Inventory and Control of Software Assets (Corresponds to Software Inventory)
* **CIS Control 3:** Secure Configuration of Enterprise Assets and Software (Corresponds to Secure Configurations)
* **CIS Control 4:** Account Management (Relates heavily to Limiting Admin Privilege)
* **CIS Control 5:** Maintenance, Monitoring, and Analysis (Relates to Vulnerability Assessment and Remediation)
## Common Pitfalls to Avoid
* **Neglecting the Human Element:** Do not leave staff security awareness out of the process; security requires collective participation and understanding.
* **Getting Lost in Technical Lingo:** Avoid getting immediately overwhelmed by highly technical compliance documents; start slow with actionable, foundational steps.
* **Ignoring the Internal Guide:** Failing to empower and utilize the existing knowledgeable internal IT resource can lead to burnout and misdirection.
## Resources
* **CIS Critical Controls Documentation:** Detailed information on the implementation steps for the controls mentioned (Search for "CIS Controls documentation").
* **Internal IT Resource:** The person within the organization currently responsible for fixing printers and network outages.