Introduction: Should You be Afraid of the Big Bad Cyber Wolf?
Responding properly to cyber threats and risks may take some specialized skills to implement some of the necessary technical security solutions. However, the methods and actions recommended in this book take into account that many small businesses simply don’t have staff who are skilled in cybersecurity.
Chapter 1: Is Cybersecurity Really Necessary for Your Small Business?
This book intends to provide you with a way to develop a plan of action for creating a cybersecurity program that is no-cost or low-cost. You should end up with the necessary documents to incorporate with your business plan and meet your business goals and objectives. The resulting program should allow you to implement adequate security measures with minimal impact on your small business operations.
Chapter 2: Applying a Cybersecurity Risk Perspective to Your Business Plan
The same three steps are used to rate the proposed “Safeguards,” which are the security controls, devices, and procedures used to protect the asset. The result of this evaluation and calculation is the “Safeguard Risk” score, which is compared against the Observed Risk for the same asset. At this point, you can determine whether additional security measures would be beneficial or not.
Chapter 3: A Cybersecurity Risk Assessment Methodology
The concluding steps in the process cover “Risk Treatment,” or how the organization chooses to address each of the risks and safeguards. The proposed solutions to increase security and reduce risk must be both: Appropriate – remaining risks will not create or increase harm beyond what is tolerable, and Reasonable – safeguards will not cause more of a burden than the risks they are meant to protect against.
Chapter 4: Defining the Elements of a Small Business Cybersecurity Program
‘One size fits all’ doesn’t work for managing cybersecurity risks. Having a ‘cafeteria-style’ method of selecting governance components allows you to create a custom set of documents that best meets the needs and fits the culture of your small business.
Chapter 5: Cybersecurity Lifecycles – They are Processes, Not Destinations
The intent of repeating the cybersecurity program lifecycle each year is for continuous improvement in your security posture. The intent of repeating the security functions lifecycle periodically, as needed, is staying up with current threats and vulnerabilities.
Chapter 6: Developing a Small Business Cybersecurity Strategy
A cybersecurity strategy is intended to articulate management’s goals and objectives for the following three to five years, as well as define an ongoing cybersecurity program. … The purpose of this chapter is to provide definitions for the various component sections within the cybersecurity strategy document. The actions from this chapter may lead to you creating a working draft version of a strategy and basic cybersecurity program.
Chapter 7: Incorporating Privacy Requirements with Cybersecurity
The main theme across the laws we reviewed is that the consumer maintains ownership of their personal information and has the right to control what information is collected about them, how that information is used, and has the ability to optout, such that their information is fully deleted.
Chapter 8: Creating Your Small Business Cybersecurity Program, Step-by-Step
This chapter will outline the basic steps to take in creating a cybersecurity program – bringing together what you have already done and basically summarizing what has been presented up to this point. These steps will walk you through completing the templates in Appendix D for developing a set of customized documents.
Chapter 9: Next Steps … Looking Ahead
In this chapter, you will learn the beginning steps for setting up some basic security measures considered by CIS to comprise ‘cyber hygiene.’ The purpose of this chapter is to get your small business protected at a minimum level that you are comfortable with. By creating a cybersecurity program, with its related policies and procedures, along with a training and awareness program, you are already achieving several control objectives.
Appendix C: Incorporating Cybersecurity Risks into a Business Risk Management Plan
Businesses generally calculate several different types of risk factors that may impact the success or failure of the business. … No matter what the individual circumstances for a particular business, there should be a risk analysis using all relevant factors. This allows the owners and management to make informed decisions about mitigating impacts and lowering overall business risk.
