This document provides 12 cybersecurity rules for small businesses. It begins by stating that small businesses have a great need for cybersecurity but limited resources to dedicate to protection. The rules are designed to provide affordable guidelines. The first rule is to focus on the business needs rather than making security the primary focus. Other rules include deciding the appropriate level of security needed, emphasizing prevention over reaction, using existing security software, regularly backing up important data, and creating a written security policy. The document stresses that basic security measures can be effective and affordable for small businesses.
2. Purpose
of
this
presenta@on
• Small
businesses
form
the
founda@on
of
our
economy.
Their
need
for
informa@on
security
is
as
great
as
a
mul@-‐na@onal
business,
but
they
usually
do
not
have
the
resources
to
dedicate
to
protec@ng
their
systems.
• Security
does
not
have
to
be
as
complicated
(or
expensive)
as
it
may
seem
• The
following
rules
are
designed
to
serve
as
guidelines
for
small
businesses
as
they
consider
op@ons
for
securing
their
computer
resources.
4. Concentrate
on
the
Business
• Security
is
a
support
func@on
for
the
business.
It
is
not
“the”
business.
• Choose
security
technologies
and
techniques
that
support
and
enable
the
business
• Avoid
changing
the
business
to
accommodate
security
products
(there
are
lot’s
of
op@ons)
2
5. Concentrate
on
the
Business
Secure
Opera@ons
Security
Technologies
Security
Services
Security
Policy
Business
Requirements
7. What
do
you
need?
• There
are
a
variety
of
available
security
technologies
• Price/availability/interoperability
must
all
be
considered
• Some@mes
doing
nothing
is
OK
• Defense
in
Depth
as
a
strategy
for
a
secure
infrastructure
8. What
do
you
need?
• Security
is
cumula@ve
• No
single
solu@on
• “We
have
a
firewall!!!”
• Examine
cost/benefit
of
each
approach
vs.
cost
of
security
incidents
• Focus
first
on
biggest
vulnerabili@es
• Get
what
you
need,
but
no
more.
3
10. Security
is
more
than
technology
• Employee
awareness
of
need
for
security
– Formal
training
vs
teaching
moments
• Opera@ons
Security
– The
whole
point
of
opera@ons
security
is
to
have
a
set
of
opera@onal
(daily,
habit
ingrained)
prac@ces
that
make
it
harder
for
another
group
to
compile
cri@cal
informa@on.
12. It’s
Your
Security
• Not
everything
can
be
done
in-‐house
– You
will
have
to
buy
at
least
some
commercial
products
– You
may
need
to
bring
in
outside
consultants
• Make
sure
that
all
security
components
are
well
documented
– Configura@on,
installa@on,
etc.
– Changes
will
need
to
be
made
eventually
• Be
careful
with
faculty
defaults
– Easier
for
remote
tech
services,
but
poten@al
vulnerabili@es
14. Use
The
Security
Sodware
That
You
Already
Own
• OS
built-‐in
security
– Firewall
– Built-‐in
file
encryp@on
• Not
the
strongest,
but…
• Browser
Security
– No
pop-‐ups
– Limit
access
to
certain
websites
– Lock
segngs
to
avoid
changes
that
may
compromise
security
5
16. Data
Back-‐ups
• Simple
vs.
Complex
• Cheap
vs.
Expensive
• Timeconsuming
vs.
Scheduled
• Manual
vs.
Automated
• Op@ons
• CD-‐Roms/Thumb
drives
• Carbonite
• How
Oden?
20. Access
Control
• System
administra@on
is
a
one
person
job
– Only
one
person
needs
to
be
able
to
have
full
control
over
the
system
(backup
sysadmin
ok,
but
no
more)
• The
crown
jewels
of
the
business
need
to
be
limited
to
specific
personnel
– How?
• Password-‐protected
files
• Separate
computers
for
sensi@ve
data
4
22. Secure
Your
Wi-‐Fi
• Almost
every
business
has
one.
• They
are
easy
to
find
and
easy
to
exploit,
especially
if
simple
secure
measures
are
not
used
• Current
encryp@on
standards
for
WIFI
are
not
par@cularly
strong,
but
it
is
usually
enough
to
dissuade
the
bad
guys,
especially
since
there
are
almost
certainly
unsecured
WiFi’s
nearby
1
24. Security
Policies
— Start
with
a
wrinen
Security
Policy.
— You
must
have
a
plan
— Know
your
assets
and
know
your
risks
— Cover
the
basics
first.
— Then
apply
technology
to
support
your
policy
and
solve
specific
problems.
—
—
—
—
Authen@ca@on
Confiden@ality
and
Integrity
Perimeter
defense
Intrusion
Detec@on
and
Audit
8
26. Physical
Security
• Physical
security
is
as
important
as
any
other
form
of
informa@on
security
• Computers
should
not
be
accessible
by
unauthorized
users
Servers
should
be
guarded
•
with
sufficient
care
to
protect
the
data
they
contain.
• Challenge
strangers
8
28. There
is
no
panacea
Security
is
the
process
of
enabling
the
protected
informa@on
system
to
do
what
it
was
designed
to
do.
Nothing
more,
nothing
less.
You
will
not
have
perfect
security,
no
maner
how
much
money
you
are
able
to
spend
…but
it
doesn’t
have
to
be
perfect.
7
29. Take
Home
Points
• Security
is
not
the
business,
it
supports
the
business
• Decide
what
you
need,
don’t
rely
on
a
vendor
to
tell
you
what
you
need
• There
are
a
variety
of
inexpensive
(or
free)
approaches
to
security
that
provide
excellent
protec@on
• Physical
security
is
at
least
as
important
as
any
other
form
of
protec@on
• Don’t
strive
for
perfect
security.
You
only
need
to
secure
enough
that
its
not
worth
the
effort
required
of
the
bad
guys
30. James
Cannady,
Ph.D.
Graduate
School
of
Computer
and
Informa@on
Sciences
Nova
Southeastern
University
cannady@nova.edu