Your small businesses exist because you believe in a vision enough to do it yourself.
For startups and small businesses, success revolves around how well we utilize readily available resources and keen focus on the critical few high leverage actions. Our companies rely on our ability to ‘make it work.’ It is not about the budgets we don’t have or the person we need. Instead, we do what we do because we must.
This focus extends to our cybersecurity. Accordingly, Measure 2 of our Reasonable and Prudent Guide is all about making what you have work to protect your business in these four steps:
First, look at what you have—or in other words, discover and define your assets.
Nothing is manageable until you understand what you have. Make an inventory of everything that uses a central processing unit – laptops, mobile phones, servers, firewalls, routers, etc.
Second, work with what you’ve got—patch your assets.
Patches (provided by the creator of your software) update your software to its most secure version. Our grandmothers patched the holes in jeans; we patch holes in our software security. It’s the same principle. Of course, we break it down even further for you* but remember that keeping your software up to date extends an asset’s useful life to keep working with what you’ve got.
Third, just like you identified your assets, identify your asset’s vulnerabilities.
Vulnerabilities are like the soft, unprotected underbelly of your systems – the place you’re most likely to get hit by a malicious actor. Therefore, use your asset inventory and leverage sophisticated, yet free tools* to identify an asset’s known vulnerabilities. Most IT asset OEMs (Original Equipment Manufacturers like Microsoft, Cisco, Oracle, IBM) have a high incentive to release updates regularly to patch these vulnerabilities. Once you’ve determined your system’s baseline security*perform a vulnerability scan. This can be either unauthenticated (externally probing the network perimeter to identify vulnerabilities), or authenticated (internally testing for missed patches, misconfigurations and other potential weak spots in your system scans). The scan creates a detailed (often mind-numbingly so) report of vulnerabilities of various criticality. Some vulnerabilities are related to the asset’s configuration, some are related to software needing to be patched. IT personnel can peruse these reports, but often it’s necessary to have a cybersecurity analyst review the reports to separate the “wheat from the chaff.”
Fourth and finally, keep all this hard work from going to waste by implementing basic endpoint hardening.
Your endpoints are the things you’re the most familiar with—your laptops, your phones, plus all the other assets you’ve identified. We’ve talked about understanding what you have (identifying assets), what the OEM recommends (patching), and taking a critical look at what vulnerabilities might still exist. Stay on top of patch management by committing to a regular schedule of action. Use tools like Microsoft Defender (e.g., local computer antivirus and firewall software) and hardware firewall devices to strengthen the protection of individual workstations and your network. Limit who has administrative privileges, secure those accounts carefully (a subject of a future post), and adopt the principle of least privilege—that’s when a user is given just the minimum levels of access needed to perform his/her job functions. One last thing—don’t run your information system on top of old, dinosaur operating systems.
Small businesses are resilient and resourceful—to survive, you have to be. Let us help you capitalize on the resources you have to protect the vision you care about. Let’s ‘make it work’ together, building a more secure future here in Western North Carolina!
*Want to understand any of these steps better? Receive a free Reasonable and Prudent Guide for Small and Mid-Sized Businesses in your inbox by writing “Guide, please!” in the contact form here. And don’t worry—we don’t share your information with anyone else!
