5 Cybersecurity Standards for Small and Midsize Businesses
As small and midsize business leaders, we understand the need to comply with regulatory and industry requirements. We also want and need our IT services to support our business priorities and fit within our budget. So how much cybersecurity is enough? Our cyber insurance partner, Datastream, analyzed policies and coverages for nearly 8 million businesses across dozens of industries globally. The most common cyber attacks exploit weak credentials, human behavior, and out-of-date software to gain access to your systems and data. From there, they can not only launch ransomware attacks, they can initiate business email compromise and other costly and damaging attacks. The result: Datastream identified a bare minimum set of 5 cybersecurity standards
The 5 Minimum Cybersecurity Standards
To address the most common and costly forms of cyber attacks, implement these 5 cybersecurity standards.
1 Multi-Factor Authentication (MFA)
MFA requires a secondary physical authentication when logging in. Whether by text, authenticator app, one-time passwords, or magic links, MFA can prevent attackers from using compromised credentials. According to studies by Microsoft, more than 90% of cyber attacks can be blocked if MFA is in place.
While the minimum standard is coverage for email access and remote network connections, we recommend using MFA for access to any and all critical systems, applications, and data.
2 Encryption
Do you encrypt all sensitive information at rest, including backups?
Most of our systems and applications encrypt data in transit (in motion). Encrypting data at rest, regardless of where it resides, prevents your data from being easily accessed and used in a cyber attack. Encryption should be in place on workstations and personal computers, not just on servers and in cloud-based services.
Just as important, backups should be encrypted. Unencrypted backups provide cyber attackers with easy access to data. Backups should also be stored off-site or in the cloud using immutable storage. This strategy prevents corruption of backup sets in the event of a ransomware attack.
3 Data Recovery
In the last 6 months, has your company tested its ability to recover all business-critical data and systems within 10 days or less, from offline or cloud backups that are no more than a week old?
Backing up data and systems is easy. Recovery is hard. Knowing that you can reliably restore your data and systems demonstrates your level of protection and how well you have reduced risks. Documenting this will impact your cyber insurance premiums.
While the 10-day recovery window is a minimum expectation, it may not be sufficient for your business. We recommend analyzing your business needs and setting goals to return to operations in a way that minimizes the impact of any disruption.
4 Automated Hardening Policies
Do you implement automated hardening policies?
Hardening systems is the process of limiting the attack surface of your systems, applications, and data. Hardening tactics include:
- Removing unused applications and accounts
- Disabling unnecessary services, ports, protocols, and features
- Limiting administrative permissions and access
- Logging appropriate activities, errors, and warnings
The process of configuring and managing hardened systems is easiest to manage with a remote monitoring and management (RMM) system in place.
5 Patches and Updates
Do you apply critical patches and updates to key IT systems and applications within two months?
Updates and patches to operating systems are familiar and comfortable. We regularly receive and apply updates to our smartphones, laptops, and desktops, most often as part of a default, automated process. We may not, however, be as diligent with our business systems and applications.
Updates and patches to databases, applications, and other software often require validation and may require changes to settings and integrations. Regularly reviewing updates and patches, and having a process in place to verify and apply updates, ensures that your systems have current security fixes and features.
Your Next Steps
Having these five cybersecurity standards in place represents a no-nonsense minimum that protects your business and can improve your cybersecurity coverage and premiums.
Our eBook, Cyber Security Requirements for Cyber Insurance, dives deeper to define basic, preferred, and best practices. You can, and should, scale your cybersecurity to meet your business’s specific risks, priorities, and budget.
We offer multiple assessments to help you understand and benchmark your current cybersecurity.
- Rapid Security Assessment
- Cyber Insurance Risk Assessment
These assessments are free with a Referral Code. Contact us or schedule time with one of our Cloud Advisors to learn more and obtain your code.
Help us keep the ideas flowing. If you have any blog posts that are leadership thoughts you want to share, please let us know.
About the Author
Allen Falcon is the co-founder and CEO of Cumulus Global. Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.