Create Your 2018 SMB Cybersecurity Plan in 6 Steps


Wistia video thumbnail - 2018 SMB Cyber-security Plan in 6 Steps

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?


My name is Tom McDonald, and I'm the CEO of NSI. Today, what we're gonna talk about is how to create a 2018 SMB cyber-security plan in six steps. This is based on the NIS tape, NIST, Interagency 7621 report. Fifty-four pages of riveting information for the small business around information security and cyber-security. So I read this for you and condensed it, so you don't have to. You can thank me later.

This is the third in a series of events we've been doing around cyber-security, focused on the SMB (watch Part 1 here). We'll talk to ya at the end of this a little bit more about NSI and what we do, but this is part of our series on Pause, Think and Act, all around tips and tricks and things you could do with cyber-security to help protect your business.

Watch the Free Cybersecurity Awareness Training Video

Let's take a look today at the agenda. So, the first part what we're gonna talk about is who is NIST? And why did they write this report? I didn't even know it existed until I got ready to put this thing together, and I started hitting the Google machine and up came this report. Interestingly enough, I joke about it, but it has some great content and is written at a level that I think anybody can understand. It's just got a little too much content, so I reduced it and gave you the highlights and we'll go through all that now. 

We'll talk about the security basics, the definitions, why should you care, why this is important to you. We'll go through the plans. So six steps you can take to put something in place for 2018 to protect your business and your assets. We'll finish that up, we'll talk a little bit about NSI, our company, who we serve, what we do, why we do it and how we do that, then we'll get a quick recap on the presentation and some things that you can do right away and then some next actions you can take.

Who is the NIST? And Why Did They Write a Report? 

So, who is the NIST? And why did they write this report? I didn't even know they existed. It's called the National Institute of Standards and Technology, and they are an organization focused on information technology. And they have this thing called the Information Technology Laboratory or ITL. I've heard that term before and if you're in the IT business, you've heard it as well. So, I'll read you a quick blurb here.

"Promotes the U.S. economy and public welfare by providing technical leadership for the nation's measurement and standards, infrastructure" I don't know what that exactly is. "ITL develops tests, tests methods, reference data, proof of concept." Okay, there's a lot of stuff here. But, the reason is, why did they write this? So they wanted to develop some kind of a report or some kind of guideline, the government wanted them to do this, to get it in the hands of the small business person so they can look at this and make sure they do something to protect their business.

We're gonna go through the fundamentals of what that means, info security and take you through this in non-technical language. That's what they wanted to do and I'm gonna even dumb this down a little more.

Security Basics—The Definitions

So, let's talk about the security basics. What is information security? What is cyber-security? You hear these terms all the time, and where does this fit in your overall security plan for your business?

As I was putting this together, I realized, we talk about these terms all the time and I assume everybody knows what we're talking about, but the reality is this, I don't think they do. So, I wanted to be able to put this together and take you through the formal definitions of that when we get to there. And then cyber-security, you hear that all the time, but what does it mean? So cyber-security at the very base level means protecting the electronical devices and the information that is stored on these devices.

And these are components of an overall security plan that we're gonna take you through. Okay, so let's look at what the exact definition of these things are. Information security, protection of information, information systems, unauthorized access, used disclosure, disruption, modification, or destruction in order to can read it as well as I can. It's sitting there in front of you on the slide. But, hopefully this gives you some understanding.

Now we're gonna talk about what the formal definition is of cyber-security. What till you see this. "Prevention of damage to, protection of, and restoration of computers, electronical communication system." I can't even get through this whole thing, but you get a sense of what we're talking about. And I think the most important thing if you're watching this and for what you need to realize about your business is these are...whether you understand what the definition of these terms means, you need to do stuff today to protect yourself and protect your business and we're gonna help you put that plan together.

So, let's talk a little bit about these, you know, these are components of an overall security plan. Cyber-security is one of the pieces that you need to put together to protect your business, which most of you, I'm sure, are doing already. I'm sure all of you are doing this. So think about it from a perspective, look at the left-hand side of the screen. Physical security, you have locks on your doors. You have locks on your windows. You have an alarm system. You have cameras. You have access control. You have physical security. You do some form of background checking on your employees, either when you hire them or when a vendor wants you to do business with them. There is something that's going on there. 

Hopefully, all of you are doing some kind of contingency planning, some kind of disaster recovery planning, you got something going on. Operational security, privacy, protecting what you have, and then cyber-security. So, it's part of the overall security measures you're taking to protect your business.

So, Why Should You Care About Having a Cyber-security Plan?

So the first reason you should care, the big guys have been investing, big companies. Bigger companies than my business NSI or your business, have been spending a tremendous amount of money. They have money. They have time. They have resources. They have the technology. So they've been protecting themselves. They've put things in place to make it very difficult for the bad guys to come and attack them.

What does that mean? That means it makes us soft targets. So the people that want to do harm for whatever the reason they wanna do harm, they realized that we are soft targets because we haven't had the time to put the money and the effort in to protecting our stuff. So it's the same thing you hear when you put an alarm system or you put a sticker on your window or you lock your doors at home. You want the bad guy to move from your house to the next house. You don't him to bother you. So that's what happening. They're moving from the big guy to the small guy, and that's why you should care.

Also, when I look at this, most small businesses have more to lose. If you think about it, whether it's a hacker, a natural disaster, a business loss, it's costly. It's significantly costly to a small business and we're generally less prepared to handle events. Larger businesses have things that are going on, and they have plans in place to protect themselves. And lastly, you know, why you should care, is because we often think this is just too hard or costs too much, and it does not, okay? It really doesn't. It just takes some time and some consideration and when you view it as part of your overall business strategy, it's something you should be doing today.

 Create Your 2018 SMB Cybersecurity Plan in 6 Steps

So let's take you through a plan. So this is 2018. So I'm recording this, it's November. Everyone's getting through the end of the year. You're gonna start thinking about plan, you're gonna be doing your budgets for 2018. This is another thing that you should put into place. So we're gonna go through it with six steps.

Step 1: Identify and Understand Your Risk

Number one, identify. Identify and understand your risk. You need to know the first thing you need to do is to figure out what it is you want to protect. You're not gonna wanna protect everything and you wanna understand where your risk is. So, you wanna look at your business, you can't eliminate all risk, we understand that, and it's unreasonable to think you can protect every piece of information in the business. But you wanna understand where you have the most risk and you wanna understand what it is that you can protect.

So, a good way to start with that is just get out a piece of paper, open up a document, spreadsheet, a Word document, and just list everything you think of. You don't have to be too specific, just write it down, list it out, so that you can come back in a year. Highlight it or cross it off. Okay, what do you wanna protect? You wanna protect your hardware. You wanna make sure that you're protecting your applications. One of the things you wanna do is you wanna include all the make, models, serial numbers of the equipments you have. You wanna make sure that you don't forget to include stuff that's outside of your business, that's involved in the technology, so if you got cloud applications. You wanna look at all your Edge devices. Basically, you wanna identify what it is that you need to protect, okay?

Next thing, identify your threats and vulnerabilities. I'm gonna make a suggestion here to everybody to find a service and get a pen test. So it's a penetration test. What this does is, it'll help'll tell you where you're the most vulnerable. So you hire a company, a company like NSI, go online and find companies that do this. You can do it as a service, and they come in and they try to penetrate the organization and see where your vulnerabilities are and then they give you a report.

Once you get that report, then you take it and then you can prioritize. So what and where do you wanna focus first? You get the test back, you take in account all the stuff that they talked about and it gives you a place to start, okay. It gives you a place where you can start to put together your plan. Okay, once you do that, next step is, you gotta protect it. This is tactical stuff you could take and put it into place immediately. Limit employee access to data and information. 

Step 2: Protect

We walk into companies all the time, we look at their active directory, and we start seeing that they allow employees access to almost everything. You don't need to do that. They don't need access to everything. Or you may not even realize that they have access to everything. When possible, you wanna only give them access to specific information they need to do their jobs and nothing else. Additionally, when they leave the business, you wanna make sure that you remove that information from the system.  

So, when they leave the business, generally, you're gonna collect their ID card or you're gonna change their access to the building. Lots of times, companies forget about getting them… you know, removing their access. If they have remote access, get rid of that. Install a UPS. This is basic stuff. Even backup, even a level below that. Surge protectors and UPS'. Simple stuff. A UPS is uninterruptible power supply, so it provides you access if the power goes out or something happens in the business, that orderly shutdown of your equipment.

You should have one or multiples. You may wanna put a specific one on a very important PC. If you have a data center, if you have servers, you want one on that. You wanna understand how much battery you need, and you also wanna be able to check those batteries. Very important, simple stuff lots of companies don't do it. Patch your operating system. If you have a company that's monitoring and managing your equipment, they're probably doing this for you, if not, you need to be thinking about this. The reason this is important is bad guys are trying to find access to all these operating systems, all these applications, and so Microsoft is constantly pushing out updates and patches. You need to be aware of those, need to be pushing them out.

Install a firewall. Very simple hardware. Install a firewall on the Edge. It's something that every organization should have. And then most importantly, once you install it, again, this is something that needs to be updated and it needs to be monitored and managed. We'll talk about this a little later about logs, but you should have a firewall, you should keep it current. It's the single piece of technology, it changes the quickest and organizations these days. So I always remind people, if you're gonna head behind a three to five-year refresh plan for your PCs and server, the firewall is gonna be replaced a lot sooner than that.

Secure your wireless. Everyone has wireless in the building. They just wanna give people access. You should segment it. If you have customers, your vendors that come in and use it, you should make sure that they have a separate login and set up a separate network for them or have your IT provider do that for you, and make sure you limit the access. If you are outside the office, and you need to access wireless, be very, very careful. You wanna be careful with unknown networks and you don't want conduct business when you're out sitting in Starbucks.

If you have a lot of people that are gonna come into the business, that are gonna be working remotely, a VPN, a virtual private network, is something you should consider and talk to your service provider. They can help you get set up with that. Web and email filter, so again, email filters will help remove the bad stuff before it gets to you. So emails that are coming in trying to attack your system with malware and they get them before they come into your email box. Encryption, everybody should be using this, either if you have a laptop, you have your data encrypted on it. If you're sending information, if you have to send any kind of information with financial or health and medical records on it, you need some encryption. 

It used to a big struggle, now it's built into Office 365 ports, a quick thing that you could turn on or an additional level of service that you could purchase, and it's very easy to use. You put "secure" in the subject line, you type in "encrypt." And the other thing is that years ago, you needed to have specific tools to send an open, now, it's much easier, when you send it to somebody, it helps and walks them through how to open something like that. This is back to the '90s. Disposable computers and media, be very careful when you get rid of these things. You're gonna throw them away. You're gonna donate them. You're gonna sell them or give them to your employees. 

If you're gonna do that, you gotta make sure to electronically clear out the hard drive or destroy the hard drive. Don't even sell it with the hard drive. Or better yet, depending on what you're gonna get, and if you think there's any kind of information on these things, just get them destroyed. Get a certificate of acknowledgment or have one of these services that comes to your organization and does if for ya. They could take it and they could destroy it right there for you.

Now, train your employees. I can't stress enough how important it is to have a continual process to train your employees. One of the earlier webinars we did was focused on this. There are all kinds of services that you can utilize from having companies like us come in and talk to your employees to online training, but it's a consistent thing and they need to know, right, they need to know what they can use their computers for, what they can't. You gotta make sure to tell ' gotta educate them on how to treat this information. It's not just on their computers, it's when they're printing it out, it's when they're making...if they're scanning things, and there's many places you can go. 

You can go to local community college, you can go to Small Businesses Association. It runs all kinds of training. There's lots of stuff you can do. This is a whole topic, and we could talk for hours about this, but you gotta keep your employees up to date on training.

Step 3: Detect

Number three, detect. Okay, listen, everybody on this listening to this, you should install and update your AV, your spyware, you gotta maintain and monitor these logs. You gotta look for malware. There are some specific things we could talk about it, but, you know, I'm looking at my notes here of what you can do and when you can do it, but the reality is, as I was putting this presentation together, I put a lot of, you know, I have almost a page of notes in front of me about all the things you should be doing. The reality is as a small business owner, a leader, you're just not gonna do this. You need a service to help you with this, because it's a consistent thing that has to happen all the time. 

Step 4: Protect

You need to be updating it. And then you need somebody with some knowledge of what they're looking at to maintain and monitor these logs. Even if you looked at the logs that come out of this, you're not gonna understand what you're seeing. Only an expert can look for the unusual or the unwanted things that are going on. So, it's very critical that most people say, "I have AV." You know, "I have Norton," or, "I installed the WebRoot." But the reality is you gotta install it, you gotta keep it updated, and you gotta make sure it's on all the machines. You get new employees, people leave, and then someone needs to be monitoring this stuff. 

So, we protect it, we identify, we protect, we detect. Now, you gotta respond. You gotta have a plan.

Step 5: Recover

You need a plan for when something bad happens. So, you've heard the DR planning and maybe you have something relative to how to work from home or how the phones roll over, or maybe a cellular rollover roll over in case you lose your main phone line. Really, what you need to do is you need to develop a plan. You can download a template on the internet. There's a million things, you can hire somebody that can write this for you, but you need roles and responsibilities.

You know, who makes the decision? Who's initiating your recovery procedure? Who do you contact, etc. What do you do with the information in case there is an incident, right? This includes, how do you shut stuff down? When do you move to the backup site? Are you gonna remove stuff from your office? Who do you call? How do you alert everybody if you have some kind of issue? If you're used to sending email and your email's hosted in-house, how are you gonna email everybody? Do you have a backup email system? Do you have cell phone numbers for everybody?

 You know, this is just the tip of the iceberg, I don't wanna spend a tremendous amount of time going through this, but there's a lot of information you need so it's key that you have a plan and you have it in place. I'd say, you know, simple procedures describe exactly, you know, what the different roles are, what's expected if you have an emergency, and then put it together just a simple plan. Get a template off the internet and start there. 

Now, what happens, you gotta recover all this stuff. Running out of breath. Full backup of important business information. When we go to clients all the time, "Hey, are you backed up?" "Oh yeah, we're backed up." "How are you backing up?" "Well, we gotta a drive." "What kind of drive?" "Well, we, you know, I bought these drives at Staples, and I ordered them from Amazon and Mary takes them...takes one offsite at the end of the week." And then I ask, "What kind of that? Is it a full back up? Are you doing incrementals?" People don't know. So, very simply, listen, you need a full backup. This is the first part.

You gotta make sure you have a full, encrypted, remember we talked about that before, of each computer that has critical business information. Hopefully it's all in the server. Lots of times, companies don't do that. So make sure you have a full backup and that it's encrypted, and that you have some way of getting it offsite, at the very least. Talk to you a little bit more about what I think you should be doing for most situations, but at a baseline, that's what you need.

Now, let's talk about incremental. An incremental backup is, it's an automatic backup of the differential. Okay, so you're not backing everything up, you're only backing up the changes that you've identified and you wanna do this...I mean, in this report it says weekly, you need to be doing this daily or maybe multiple times a day. Again, this isn't a lot, it's just the changes, so if something gets changed, you know, think about this, if you have a full back up on Friday night, Mary makes a change on Monday morning, she loses that and she realizes that she's lost it on Thursday, she can't get it back. She can only go back to Friday. If you're doing it daily, if you're doing it hourly, depending on what it is, you're gonna be able to go back and find that.

So really, make sure that you have incremental backups as well as a full. Okay, now, here's the other part. You gotta test this. You gotta make sure that these backups that you've processed, that they're going, that you can get them back. And again, make sure this stuff is encrypted. And just do a test. Put it on your calendar. Set a date. Run a simple...hey, we gotta test a backup. See if you're gonna recover a file. See if you can restore you know, a full server. That maybe more than what you're comfortable doing, but your IT service provider can certainly do that. 

Consider cyber insurance. You're talking to your insurance provider, I can guarantee they're bring it up to you because it's another way that they can make money, but I think it's worth understanding and going through. Most of the time, if they bring it up, and you feel as though they're not clear on giving you the definitions of what's covered, ask them to bring somebody in from the carrier to give you more detail on the cyber insurance. They'll do it. We've had it done for our business, it's a simple thing to do and I suggest everybody does it.

 And last, is make sure that you have a process procedures that you have all the stuff put together. That you're looking it at on a regular basis, and that you're doing training, you're talking to your people about all this stuff. It's great to have all the stuff, but then you gotta document what's going on. 

Step 6: Practice Safe Computing

 All right, number six. We're to the end here. All right, practice safe computing. Be safe. This gets back to the user training, and I'm gonna go through some of the highlights. First one, be careful with email attachments and web links. You've heard this a million times before. Don't click on stuff. If you know it's bad, don't click it. If you even think it's bad, don't click it. There's a million things, I probably get two to three a day, and we have all kinds of stuff in place and I have to double check. Be careful. Don't click on open links. Hover before you do, and if you do click on something and you think there's a situation, alert whoever's taking care of your IT, sooner rather later.

Don't sit there and try to turn your machine off or think it's gonna go away. The sooner you can let somebody know about it, the better off you're gonna be. Okay? Don't plug in phone drives. Don't bring personal stuff into the office. Don't be taking your work stuff and mixing it with your personal stuff. Someone gives you a drive with a bunch of songs on it, don't bring it and plug it into your officer computer. This is basic stuff. Be very careful when you're downloading information off the internet. This gets back to some of the emails, make sure you're on the right site. If you're gonna go look for something, you gotta be careful what you type in. If you're going to get an update from say, in Adobe, and you misspell Adobe and it could bring you to the wrong site. Next thing you know you're downloading some malware. So be very careful.

Don't give out your personal information, okay? People call up, this happens, you would be amazed at how often this happens. You get a phone call or something happens. It's basic stuff, but you should… just a reminder to everybody, that that's there. And again, if anyone asks to use your name or password, don't give it out. You know, it's just basic stuff. Don't do it. And then change that as often as you can, okay?

There's other stuff here, but I think that's the basis of it. We talked about strong passwords. We talk about how often you're supposed to do that. You're gonna hear it's random sequences of letters, numbers, you wanna have special care because you wanna make 'em longer. You wanna think about having a different password for every single thing you log into. It's really unrealistic, but what I could tell you is, have a couple of passwords that you utilize. Try to rotate them. Try to make them as complex as you possibly can, but that you can remember. And again, don't give them out, and don't use administrator passwords. Try as best if you can, not to have passwords of multiple people can use for different things.

When you're gonna be online and you're doing business online, which a lot of us do, be very careful that you're on the right spot, you're in the right place. And again, if it's banking information, if your controller or finance person is doing online commerce, they need additional training. And then you work with whoever the vendor is, whether it's your bank, or the different vendors that you work with. Or you're buy where you are transacting business. Simple stuff to keep in mind. 

That was a lot of stuff. Those were the six steps. In summary, no one is an expert in every business and technical area, not even you, not even me. So this helps you get an idea. It gives you some talking points that you can review with the company that's helping you support your IT, which I hope you have. If you don't have one of those, I think it should be something that you consider because you can get an extra set of eyes and their core business is focusing on in taking care of this stuff for you.

Finally, here, my recommendation to all businesses, particularly small businesses. You don't have the skill set to do this, so you should really look to outsource your technology. You should look to find a company that can do this for you. This is simple stuff. You can hit that command line in Google, type in "IT service provider, manage service provider, security as a service." There's a million things you could type in, but when you find somebody, when you talk to people that are in the same business, you ask them who they're working with.

Once you get in touch with a company, ask for recommendations. Make sure they know what they're doing. Check their past performance, you know. You wanna understand who is gonna be doing the work for you. So you wanna look at qualifications and certification, both of the company and of the people that are gonna be doing this work for you. Lots of times you're gonna be able to check that out when you talk to existing customers and you get references. Always a good idea to look for these certifications and really makes a lot of sense to get this business and get it outsourced. They're gonna take care of it better than you could take care of it yourself. 

All right, that was a meat and potatoes, now, a little bit about us. What we do is very simple. We assist our clients and we help them make more money, spend less money, reduce the risk of losing it, so we're talking a lot about risk today. And we help them stay compliant and secure. But ultimately, we allow them to focus on the core aspects of their business so we can focus on the core aspects of our business which is taking care of your technology.

 So, our offer, what we do, so the unique genius around what differentiates us from the competition, is we have a full time locally-staffed help desk here in beautiful Naugatuck Connecticut. They take your answers. They answer the phone, and they resolve your issues today. We offer a fixed price solution, so when you do business with us, we look at your environment. We assess what you have ,and then we give you a number and that's a fixed price for us to do this IT support. So you won't get bombarded with things, in and out of scope, in and out of service, it's one bill. 

And then the secret to way we're successful, is we standardize the solution. We force compliance, not only of you from our clients, but across all of our clients. So it makes it easier for us to support them and it makes us better. It makes us quicker at resolving issues for all of our clients. And it's really something that you should do as well. I tell people all the time, if you're not gonna hire somebody, you can do the same things we do very easily, which is standardize the solutions inside your organization.

Things that we do. So, I mentioned we do IT support. We support real time. We put the agents on your equipment to monitor and manage it. We have a help desk and we're preventing issues before they develop. We offer a virtual CIO service. That's a higher level where we do consulting, so a lot of things we talked about earlier. One of our technology account managers comes out to your site, they look at your equipment or they have discussions with you, they help map out plans, projects, all that kind of stuff. 

Remote monitoring management, we talked about it. Cyber-security is what we talked about today. Backup and disaster recovery, those are all components. On that topic, I stress to everybody, get away from using these drives. Get away from manual backups. Get a system that does something locally, then it automatically sends it off to the cloud, where you can recover or operate your business. It's inexpensive insurance and everybody should have it.

The companies that we serve or the industries that we serve, we run the gambit, health care, non-profit, manufacturing is a big push for us, particularly small manufacture, they are tied to technology. Even more so some of these other businesses. These machines are run by the network, so it's critically important. A lot of state and local government, professional services.

 So, if you need some help, here's how you can do it. We'd love to provide a network assessment for you if you needed any help. We'll come in, we'll look at it. You can just schedule it, it's free. If you wanna buy something, we still sell things so that's good to know. And lots of times, customers find it's very confusing. You can buy things for the same price that we can sell 'em for you...sell them to you, but lots of times where you're buying the right thing, that's why we provide a lot of value.

 And if you have a question or anything, call us. We'd love to help you. Whether you're a client or not a client, if we can help you, we certainly wanna do that. So, a couple of things here as we close this off. Be safe, right? That's the single best thing you could do. Get your employees trained so they know what they're doing. Start now. Put this plan together. Like I said, there's no reason to push this off, you wanna do it today. Get help, you need it. Look to outsource. Look to a company that can provide it to you. And then, at the end of this presentation, there'll be a link where there will be a quick test.

 Listen, it's a way to get you engaged with us from a business perspective. It's non-threatening. It'll give you a sense of where your technology measures up in comparison with your peers, and I always think it's a good idea to know where you stand. So, that's it. I wanna thank everybody for their time today. I really appreciate it. If there's anything specific that you think that you wanted to know, or a deeper dive on this, we'd love to be able to answer those questions. And as always, we appreciate the opportunity to earn your business each and every day. Thanks.

ct small business guide

About The Author

President of NSI, Tom has been helping small and medium businesses succeed in Connecticut for over 25 years.