An official website of the United States government
Cyber incidents have surged among small businesses that often do not have the resources to defend against devastating attacks like ransomware. As a small business owner, you have likely come across security advice that is out of date or that does not help prevent the most common compromises. For example, odds are that you have heard advice to never shop online using a coffee shop’s wi-fi connection. While there was some truth to this fear a decade ago, that’s not how people and organizations are compromised today. The security landscape has changed, and our advice needs to evolve with it.
This advice is different.
Below, we offer an action plan informed by the way cyber attacks actually happen. We break the tasks down by role, starting with the CEO. We then detail tasks for a Security Program Manager, and the Information Technology (IT) team. While following this advice is not a guarantee you will never have a security incident, it does lay the groundwork for building an effective security program.
Cybersecurity is about culture as much as it is about technology. Most organizations fall into the trap of thinking the IT team alone is responsible for security. As a result, they make common mistakes that increase the odds of a compromise. Culture cannot be delegated. CEOs play a critical role by performing the following tasks:
A note on MFA: Multi-factor authentication (MFA) is a layered approach to securing your online accounts and the data they contain. It’s the idea that you need more than a password to keep your data and accounts safe. When you enable MFA for your online services (like email), you provide a combination of two or more authenticators to verify your identity before the service grants you access. Common forms of MFA are SMS text messages sent to your phone, 6-digit codes generated on a smartphone application, push notifications sent to your phone, and physical security keys.
Using MFA protects your account more than just using a username and password. Users who enable MFA are MUCH less likely to get hacked. Why? Because even if one factor (like your password) becomes compromised, unauthorized users will be unable to meet the second authentication requirement ultimately stopping them from gaining access to your accounts.
The Security Program Manager will need to drive the elements of the security program, inform the CEO of progress and roadblocks, and make recommendations. These are the Security Program Manager’s most important tasks:
In addition to the advice here, we urge you to look at the information and toolkits available from our Cyber Essentials series to continue to mature your program.
The top tasks for the IT lead and staff include the following:
There are, of course, many other IT tasks that add to a good security program. While this list is not exhaustive it does contain the top actions you can take that addresses the most common attacks.
When security experts give cybersecurity advice, they usually assume you are only willing to make small changes to your IT infrastructure. But what would you do if you could reshape your IT infrastructure? Some organizations have made more aggressive changes to their IT systems in order to reduce their “attack surface.” In some cases, they have been able to all but eliminate (YES, WE SAID ELIMINATE!) the possibility of falling victim to phishing attacks. Sound interesting? Keep reading!
One major improvement you can make is to eliminate all services that are hosted in your offices. We call these services “on premises” or “on-prem” services. Examples of on-prem services are mail and file storage in your office space. These systems require a great deal of skill to secure. They also require time to patch, to monitor, and to respond to potential security events. Few small businesses have the time and expertise to keep them secure.
While it’s not possible to categorically state that “the cloud is more secure,” we have seen repeatedly that organizations of all sizes cannot continuously handle the security and time commitments of running on-prem mail and file storage services. The solution is to migrate those services to secure cloud versions, such as Google Workspace or Microsoft 365 for enterprise email. These services are built and maintained using world-class engineering and security talent at an attractive price point. We urge all businesses with on-prem systems to migrate to secure cloud-based alternatives as soon as possible.
While all operating system vendors work to continuously improve the security of their products, two stand out as being “secure by design,” specifically, Chromebooks and iOS devices like iPads.
Some organizations have migrated some or all their staff to use Chromebooks and iPads. As a result, they have removed a great deal of “attack surface,” which in turn makes it much harder for attackers to get a foothold. Even if an attacker were able to find a foothold on those systems as part of a ransomware attack, the data primarily lives in a secure cloud service, reducing the severity of the attack.
Any form of MFA is better than no MFA. Any form of MFA (like SMS text messages, or authenticator codes) will raise the cost of attack and will reduce your risk. Having said that, the only widely available phishing resistant authentication is called “FIDO authentication.” When an attacker eventually tricks you into trying to log into their fake site to compromise your account, the FIDO protocol will block the attempt. FIDO is built into the browsers and smartphones you already use. We urge you to learn how FIDO resists phishing attacks.
The combination of a cloud-hosted email service, secure-by-default devices, and FIDO authentication will dramatically raise the cost for attackers and will dramatically reduce your risk. It’s worth considering.
In addition to those highlighted above, here are some additional resources available, at no cost, to help improve your cybersecurity.
Stopransomware.gov
As part of the whole-of-government approach to combating ransomware, CISA created StopRansomware.gov, a one-stop-shop of free resources for organizations of any size to protect themselves from becoming a victim of ransomware. If you have experienced a ransomware attack, we strongly recommend using the following checklist from our Ransomware Guide.
Regional Support
Reach out to our Regional Team in your local area for tailored assistance. Aligned to specific areas, the regions provide a range of cyber and physical services to support the security and resilience of critical infrastructure owners and operators and state, local, tribal, and territorial partners.
Free Cybersecurity Tools and Resources
CISA offers a list of free cybersecurity tools and services that serves as a living repository of cybersecurity services provided by CISA, widely used open-source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community.
Cybersecurity Evaluation Tool (CSET)
The Cybersecurity Evaluation Tool (CSET) is an open source self-assessment tool designed for stakeholders to install on their endpoint device. For those interested in using the tool or participating in CISA’s open source community, visit https://github.com/cisagov/cset. To download the file, click https://cset-download.inl.gov/.
Risk Management Considerations
For businesses and organizations considering using a Managed Service Provider (MSP) for your security services, review CISA’s guidance on important risk management considerations.
Cloud Security
For businesses and organizations, considering using a Cloud Service Provider (CSP), review CISA’s guidance on cloud security.
Was this webpage helpful? Yes | Somewhat | No
Need CISA’s help but don’t know where to start? Contact the CISA Service desk.
Cyber Guidance for Small Businesses – CISA
