Cyber Guidance for Small Businesses

A Different Kind of Cybersecurity Advice

Small businesses often do not have the resources to defend against devastating cyber threats like ransomware. As a small business owner, you have likely come across security advice that is out of date or that does not help prevent the most common compromises. For example, odds are that you have heard advice to never shop online using a coffee shop’s wi-fi connection. While there was some truth to this fear a decade ago, that’s not how people and organizations are compromised today. The security landscape has changed, and our advice needs to evolve with it.

This advice is different.

Below, we offer an action plan informed by the way cyberattacks actually happen. We break the tasks down by role, starting with the Chief Executive Officer (CEO). We then detail tasks for a Security Program Manager and the Information Technology (IT) team. While following this advice is not a guarantee you will never have a security incident, it does lay the groundwork for building an effective security program.

Role of the CEO

Cybersecurity is about culture as much as it is about technology. Most organizations fall into the trap of thinking the IT team alone is responsible for security. As a result, they make common mistakes that increase the odds of a compromise. Culture cannot be delegated. CEOs play a critical role by performing the following tasks:

  1. Establish a culture of security. Make it a point to talk about cybersecurity to direct reports and to the entire organization. If you have regular email communications to staff, include updates on security program initiatives. When you set quarterly goals with your leadership team, include meaningful security objectives that are aligned with business goals. Security must be an “everyday” activity, not an occasional one. For example, set goals to improve the security of your data and accounts through the adoption of multifactor authentication (MFA) (more on that below), the percentage of systems you have fully patched, and the percentage of systems that you back up.
  2. Select and support a “Security Program Manager.” This person doesn’t need to be a security expert or even an IT professional. The Security Program Manager ensures your organization implements all the key elements of a strong cybersecurity program. The manager should report on progress and roadblocks to you and other senior executives at least monthly, or more often in the beginning.
  3. Review and approve the Incident Response Plan (IRP). The Security Program Manager will create a written IRP for the leadership team to review. The IRP is your action plan before, during and after a security incident. Give it the attention it deserves in “peace time,” and involve leaders from across the organization, not just the security and IT functions. There will be no time to digest and refine it during an incident.

    PRO TIP: Invoke the IRP even when you suspect a false alarm. “Near misses” drive continuous improvements in the aviation industry, and the same can be true for your security program. Never let a near miss go to waste!
  4. Participate in tabletop exercise drills (TTXs). The Security Program Manager will host regular attack simulation exercises called tabletop exercises. These exercises will help you and your team build reflexes that you’ll need during an incident. Make sure your senior leaders attend and participate.
  5. Support the IT leaders. There are places where the support of the CEO is critical, especially where the security program needs the help of every staff member. Take ownership of certain efforts instead of asking IT to do so. For example, do not rely on the IT team to persuade busy staff that they must enable MFA. Instead, make the MFA announcement to the staff yourself and keep track of the progress. Personally follow up with people who have not enabled MFA. Doing so creates a culture of security from the top.

A note on MFA: MFA is a layered approach to securing your online accounts and the data they contain. Any form of MFA is better than no MFA. Any form of MFA (like SMS text messages, or authenticator codes) will raise the cost of attack and will reduce your risk. Having said that, phishing is consistently the most cost-effective way for attackers to compromise systems, and the only widely available phishing resistant authentication is called “FIDO authentication.” When an attacker eventually tricks you into trying to log into their imposter site to compromise your account, the FIDO protocol will block the attempt. FIDO is built into the browsers and smartphones you already use. We urge you to learn how FIDO resists phishing attacks.

The combination of a cloud-hosted email service, Secure by Design devices, and FIDO authentication will dramatically raise the cost for attackers and will dramatically reduce your risk. It’s worth considering.

Role of the Security Program Manager

The Security Program Manager will need to drive the elements of the security program, inform the CEO of progress and roadblocks, and make recommendations. These are the Security Program Manager’s most important tasks:

  1. Training. All staff must be formally trained to understand the organization’s commitment to security, what tasks they need to perform (like enabling MFA, updating their software, and avoiding clicking on suspicious links that could be phishing attacks), and how to escalate suspicious activity
  2. Write and maintain the IRP. The IRP will spell out what the organization needs to do before, during, and after an actual or potential security incident. It will include roles and responsibilities for all major activities and an address book for use should the network be down during an incident. Get the CEO and other leaders to formally approve it. Review it quarterly and after every security incident or “near miss”. Need to know where to start? Look to our IRP Basicstwo-pager with advice on what to do before, during and after an incident. To request assistance or to share information about an incident that can help protect other potential victims, you can contact CISA at https://www.cisa.gov/report.
  3. Host quarterly tabletop exercises (TTXs). A TTX is a role-playing game where the organizer (possibly you!) presents a series of scenarios to the team to see how they would respond. A common scenario involves one employee discovering their laptop is blocked by ransomware. Symphonies and sports teams practice regularly, and your organization should, too. CISA has Cybersecurity Tabletop Exercise Tips to get you started.
  4. Ensure MFA compliance. Yep--MFA Again! The most important step an organization can make is to ensure that all staff use MFA to log into key systems, especially email. While this task is also listed under the IT section below, multiple people must review the MFA status regularly.

In addition to the advice here, we urge you to look at the information and toolkits available from our Cyber Essentials series to continue to mature your program.

Role for the IT Lead

The top tasks for the IT lead and staff include the following:

  1. Ensure MFA is mandated using technical controls, not faith. Some organizations have instructed their users to enroll in MFA, but not all users complete that task. There are often MFA gaps for recently onboarded staff and for people who have migrated to a new phone. You’ll need to regularly look for non-compliant accounts and remediate them. Verify, verify, verify MFA stats..
  2. Enable MFA for all system administrator accounts. System administrators are valuable targets for attackers. You might assume that they would reflexively enroll in MFA. Yet Microsoft reports that around half of Azure Active Directory global administrators use MFA. In many compromises, attackers were able to get a foothold on the system administrator’s account, and from there they had complete access to all the company’s assets.
  3. Patch. Many attacks succeed because the victims were running vulnerable software when a newer, safer version was available. Keeping your systems patched is one of the most cost-effective practices to improve your security posture. Be sure to monitor CISA’s Known Exploited Vulnerabilities (KEV) Catalog, a list of the vulnerabilities we see attackers using in real attacks. Prioritize the vulnerabilities in the KEV. Also, where possible enable auto-update mechanisms.
  4. Perform and test backups. Many organizations that have fallen victim to ransomware either had no backups or had incomplete/damaged backups. It’s not enough to schedule all important systems to have a regular backup. It’s critical to regularly test partial and full restores. You’ll have to pick a cadence for the backups (continuous, hourly, weekly, etc.). You’ll also want to write a plan for the restoration. Some organizations experiencing ransomware attacks found that the time to restore their data was significantly longer than expected, impacting their business.
  5. Remove administrator privileges from user laptops. A common attack vector is to trick users into running malicious software. The attacker’s job is made easy when users have administrator privileges. A user who lacks administrator privileges cannot install software, and this type of attack won’t work.
  6. Enable disk encryption for laptops. Modern smartphones encrypt their local storage, as do Chromebooks. Windows and Mac laptops, however, must be configured to encrypt their drives. Given how many laptops are lost or stolen each year, it’s important to ensure that your laptop fleet is protected.

All of the above steps may leave you wondering if the products you use are as secure as they could be. Very often, the answer is that the software manufacturers create products using components and practices that inevitably lead to common vulnerabilities. In addition to putting into practice the above steps, we urge you to learn more about how software companies can create software that is “secure by design”. Read more here: https://www.cisa.gov/securebydesign.

Achieving the Highest Security Posture

When security experts give cybersecurity advice, they usually assume you are only willing to make small changes to your IT infrastructure. But what would you do if you could reshape your IT infrastructure? Some organizations have made more aggressive changes to their IT systems to reduce their “attack surface.” In some cases, they have been able to all but eliminate (YES, WE SAID ELIMINATE!) the possibility of falling victim to phishing attacks. Sound interesting? Keep reading!

On premises vs cloud

One major improvement you can make is to eliminate all services that are hosted in your offices. We call these services “on premises” or “on-prem” services. Examples of on-prem services are mail and file storage in your office space. These systems require a great deal of skill to secure. They also require time to patch, to monitor, and to respond to potential security events. Few small businesses have the time and expertise to keep them secure.

While it’s not possible to categorically state that “the cloud is more secure,” we have seen repeatedly that organizations of all sizes cannot continuously handle the security and time commitments of running on-prem mail and file storage services. The solution is to migrate those services to secure cloud versions, such as Google Workspace or Microsoft 365 for enterprise email. These services are built and maintained using world-class engineering and security talent at an attractive price point. We urge all businesses with on-prem systems to migrate to secure cloud-based alternatives as soon as possible.

Secure endpoints

While all operating system vendors work to continuously improve the security of their products, two stand out as being “secure by design,” specifically, Chromebooks and iOS devices like iPads.

Some organizations have migrated some or all of their staff to use Chromebooks and iPads. As a result, they have removed a great deal of “attack surface,” which in turn makes it much harder for attackers to get a foothold. Even if an attacker were able to find a foothold on those systems as part of a ransomware attack, the data primarily lives in a secure cloud service, reducing the severity of the attack.

Additional Information*

For more information and resources for Small and Medium-sized businesses, visit Small and Medium Businesses | Cybersecurity and Infrastructure Security Agency CISA and our Small Business Week page: cisa.gov/small-business-week. 

*This page was updated in April 2024.