The Cybersecurity and Infrastructure Security Agency (CISA) recently published guidance to help small businesses make themselves more cyber secure. Why? The reason given is that there has been an increasing number of attacks launched against small businesses. This is not surprising as we’ve written about the ease of launching cyber attacks today.

CISA breaks down the recommendations more as tasks that should be assigned to 3 different roles - CEO, Security Manager, and IT leader. It is interesting to us @ Haekka to see a security manager called out for a small business as we often see that role shared when a business is sub 50 and sometimes sub 100 employees.

Multi-factor Authentication FTW

One recurring theme in the guidance is the recommendation to use multi-factor authentication (MFA). This is a great recommendation for small businesses as it makes cyber attacks much harder and it is very easy to implement using software and hardware that is widely available and cheap today. As we recommend to all of our customers at Haekka, MFA is the first thing you should do if you haven’t done it already.

Use the Cloud

CISA recommends moving infrastructure from on-prem, or in your office if you are a small business, to the cloud. Cloud providers have armies of security staff and using the cloud enables customers to leverage this security expertise in their own infrastructure.

Use iPads and Chromebooks

This recommendation surprised us a bit but it makes sense if you think about it. Small business do not have the resources to do a lot of management of employee devices. Therefore, they are reliant on the vendors of those devices. CISA calls out iPads and Chromebooks as “secure by design”.

The role of the CEO in cybersecurity

The buck stops at the CEO. As cybersecurity becomes an existential function, the CEO needs to be involved in the overall cybersecurity program. CISA has a good set of recommendations for how the CEO can support the creation and maintenance of an infosec program.

1. Build a culture of security. Talking about security, mentioning it to the board, and generally being engaged in cybersecurity is a great way for a CEO to help build a culture of security.
2. Select security manager and IT leaders. This is maybe the single most important cybersecurity function of a CEO.
3. Review and approve the Incident Response Plan (IRP). This is not a function we typically see a CEO handle. Ultimately, the CEO owns the overall business continuity of a company so in that sense it makes sense that the CEO would review and approve an IRB, or at least be involved in the process.
4. Participate in tabletop exercise drills (TTXs). This is another area where we rarely see a CEO involved.

The role of security manager in cybersecurity

A security manager is an essential part of a security program. The one thing we see lacking most often with security managers is a lack of ability and control over some of the functions to which they are responsible. Give your security manager the power to do their job and protect your company.

1. Training. We could not agree more. But, we don’t think training to check a box helps; in fact, we think it hurts. Training needs to be continuous and focused on high risk behaviors.
2. Write and maintain the Incident Response Plan (IRP). Along with MFA and tabletop testing, incident response is the second most common task that CISA recommends to small businesses.
3. Host quarterly tabletop exercises (TTXs). Quarterly tabletop tests are more frequent than we almost ever see for small businesses. Most do this annually, especially if there are not huge changes in the plan or infrastructure in use.
4. Ensure MFA compliance. MFA matters a lot to CISA. We agree. Enforce MFA on every account.

The role of the IT leader in cybersecurity

Despite having a security manager and CEO involved in cybersecurity as outlined above, the IT leader still has many responsibilities.

1. Ensure MFA is mandated using technical controls, not faith. MFA should be in use everywhere, including when elevating privileges and accessing admin accounts.
2. Patch. Keep your software up to date. Using a standard endpoint like an iPad or Chromebook likely makes this easier.
3. Perform and test backups. Backups are a key part of incident response and disaster recovery.
4. Remove administrator privileges from user laptops. This is another function helped by standardizing on iPads or Chromebooks.
5. Enable disk encryption for laptops. This is such an easy step to take today. It is usually a few clicks on any modern operating system

‍