Part one of this primer covered the technical basics. Part two is the next layer — disciplines that are less technically obvious and more about how your business operates.
The target reader is the same: a small-business owner with no technical background. The disciplines below are useful once the basics are in place.
The next layer
Five more things, again in rough priority order.
1. Network separation between work and rest
If you have a wireless network for guests or for personal phones, it should be on a separate network from the business computers. The technical detail of how you do this depends on your equipment; the principle is that the wireless network should not have direct access to the business network.
Why: a guest's compromised phone, a malicious USB stick brought in by a visitor, a child's laptop carrying something nasty — none of these should be able to reach your customer database.
For most small businesses, this means: a router with a "guest network" feature (most modern home/small-office routers have this), and a small amount of configuration to make sure the two networks cannot reach each other.
If you do not know how to do this and do not have someone who does, ask. The cost of getting it right is modest; the cost of not is potentially substantial.
2. The owner-manager-accountant trinity
Three specific people in your business need different things, security-wise:
The owner (you, if you are reading this) needs to know what is going on. You need to be able to ask questions, get clear answers, and make decisions. You do not need to be technical; you need to be informed.
The IT person (whoever that is — could be an employee, could be a contractor, could be you) needs the responsibility and the authority to do the work. If you have an IT person and you are constantly overriding their security decisions because they are inconvenient, you are training them not to bother.
The accountant (or whoever handles your finances) needs to understand the financial implications of security incidents. The cost of a serious breach is not just the technical cleanup; it is regulatory fines, customer loss, business disruption. Accounting for this realistically helps with security investment decisions.
This is the organisational discipline. The specific disciplines do not work without it.
3. A written incident-response plan
If your computers were locked by malware tomorrow, what would you do? If you have to make it up on the spot, you will make decisions you later regret.
The plan does not have to be elaborate. A single page is fine. It should answer:
- Who do I call first?
- Do I disconnect things from the network? When? Which things?
- Do I pay if asked? (Usually no; the answer is usually no even when you really want to say yes.)
- Who else needs to be told? (Customers, regulators, insurers, employees.)
- How do I prove what happened, after the fact?
The writing-down is the discipline. The plan does not need to be perfect; it needs to exist.
4. The forgotten-things audit
Every small business has things that have been forgotten. The old computer in the corner that nobody uses any more. The website page that was set up for one project and never taken down. The user account for the staff member who left two years ago.
A quarterly audit of these things — even an informal one — is a useful discipline. The questions:
- Are there any computers I do not actively use?
- Are there any user accounts I do not actively need?
- Are there any passwords or access credentials that should be rotated?
- Are there any business processes that depend on something I should reconsider?
Most forgotten things are harmless. Some are not. The audit is the cheapest way to find the ones that are not.
5. The supplier-trust audit
Your business depends on suppliers — software vendors, service providers, contractors. Each of them has access to some part of your systems or data. Each is a potential point of compromise.
A simple discipline:
- Make a list of every external party that has access to anything important.
- For each, check that the access is minimal (they have what they need, not more) and current (they still need it).
- For the most-critical suppliers, ask what their own security disciplines are. The answer should not be "we do not have any".
This is the supply-chain discipline. It is the one that gets organisations into the most trouble in the long tail.
What this primer is
Ten disciplines across two parts. None of them is technically difficult. Together, they substantially reduce your exposure to the typical threats facing small businesses.
The discipline most small businesses are missing is consistency. They do some of the things some of the time; they do not do all of the things all of the time. The cumulative reduction in risk comes from the consistency, not from any one specific control.
What I am not covering
A few things deliberately left out:
Specific tools. I have not recommended specific antivirus products, specific backup services, specific routers. The right specific tool depends on your specific situation. Asking someone you trust who knows your business is more useful than reading my opinion.
Compliance. PCI-DSS for credit cards, sectoral regulations for specific industries. These are real concerns but are very specific to your industry. Get specific advice for your specific situation.
Insurance. Cyber-insurance is becoming a category. Whether it is right for your business depends on your specific risk profile and your other defences. A conversation with a knowledgeable broker is worth having.
A closing note
If you are a small-business owner reading this and have made it to the end, thank you. The fact that you have read this much suggests you take this seriously. That is the most important thing.
The specific disciplines matter; the attitude of taking the issue seriously matters more. A business owner who is engaged with the issue and asks good questions of the right people will end up substantially safer than a business owner who delegates the entire concern.
For any specific questions about applying these disciplines to your specific business, asking someone who knows both your business and the disciplines is the right next step. There is no general advice that fits every specific case.
More in time. The next post will be back to the more technical writing for my usual readership.