Presented by Brian Vigna, Instructional Designer, NC State University Industry Expansion Solutions (IES)
This webinar is for small business owners and managers as well as employees involved in security planning.
October is National Cyber Security Awareness Month and a perfect time to think about how you can plan, prepare and become more cyber-secure.
2023 is the 20th annual Cyber Security Awareness Month and things are moving faster than ever in the world of cyber security. As a small business owner, you will likely encounter daily messages and warnings about cyber security. Often the rules, regulations and motivations to “do cyber” are unclear or overly complicated. In this blog I wanted to provide 7 realistic, practical steps you can take, regardless of the size, complexity, location or industry you are a part of. Remember that not all the steps will mean the same thing to everyone and will be used as a foundation for cyber security instead of a set of requirements. With that said, let us get to the fun part!
- Identifying a Security Goal or Target – Easier said than done- is appropriate for this one! Producing a plan, goal, target or just a direction to head in may be the most challenging part of becoming a cyber secure organization. However, choosing a goal is an incredibly practical way of getting anything done. Think of your business as a blank slate, like a backyard needing landscaping or a new home needing decorating. If you run to Home Depot or Lowes without a plan, a goal or a shopping list, you will likely come home with a hodgepodge of random things that may look nice or serve a purpose but do not fit or work together. Choosing a security goal is much the same and maybe even more accessible! Whether or not you work with the defense industry, you have likely heard of the Cybersecurity Maturity Model Certification (CMMC). CMMC is a new cyber security standard built on one of the most tried and tested security standards ever invented, NIST 800-172. CMMC has lots of details, information and most importantly controls. CMMC level 1 is the most basic level of protection and it prescribes just 17 controls. These controls are the blueprint, the shopping list and the interior decoration planning guide. Give CMMC a thought, it may be the right starting point for your organization.
- Create a Security Plan – We talked about CMMC earlier and can now move from the planning to the action stage. After choosing a goal or target, you need to plan to meet it or record what you’re doing to accomplish it already. That’s the role of a System Security Plan or SSP. Don’t let the technical term scare you off, it just means recording what you do today for cyber security and some planning for what you want to do in the future. SSPs can be essential, detailed, complex, or simple. There is no single approach, but they should be in place and regularly revised based on changing technology, controls, and organizational needs.
- Get Everyone Involved – An all-too-common mistake is believing that cyber security is:
- Nobody’s job
- Only the “tech guy’s” job or
- A job nobody on our staff is qualified to do.
- Training and Culture – New hires, annual, incident/just-in-time training
- Perform a Self-Assessment – Self-assessment can sound scary, but at CMMC Level 1, a self-assessment is little more than a list of reasonable controls/policies that should be in place based on your security plan. Going through a self-assessment is a great way to see where you are meeting the prescribed controls, and where you are failing to meet them.
- Take Corrective Action – Plan Of Action and Milestones (POAM) are a fancy way of saying, “things we need to fix”. It refers to a list of corrective actions with expected dates of completion. According to NIST, a POA&M is “A document that identifies tasks needing to be accomplished. It details resources required to accomplish the plan’s elements, any milestones for meeting the tasks, and scheduled milestone completion dates”.
- Audit, Review, Update – Cyber is not a one-time deal, think of it as you think of going to the dentist. At least a few times a year for regular checkups, and emergency visits if problems arise Don’t forget to attend our upcoming webinar, “Practical Steps Towards Cyber Security” if you want to learn more about the technical controls and planning that can make your organization more secure.
This outdated mindset leads to ignoring problems, lacking solutions and isolating the responsibility of cyber security to a small group or individual. In today’s cyber landscape, you must accept that the weakest link is the people you work with. Everyone from the secretary, accountant, floor supervisor and CEO is the target. Start by accepting the cyber challenge for everyone, only then can you have the right conversations with the right people. Discuss cyber news, trends, planning, concerns and corrective actions with the staff regularly. When installing new equipment and working with partners, bring up cyber at monthly meetings. Don’t push cyber to the side until it becomes an issue, because preventative maintenance is always cheaper, easier, and more effective than the alternative.
Brian Vigna is an Instructional Designer and Security Awareness Training Specialist in the professional learning and instructional design unit for NC State Industry Expansion Solutions (IES). Brian has worked as an adult educator, trainer and instructional designer for more than a decade. Brian has taught a variety of information technology certification and professional development courses at the collegiate level, with small businesses, as well as in collaboration with the United States government. Brian is currently certified in CMMC (Registered Practitioner), CISSP, CompTIA Security+, CompTIA A+, CompTIA Network+, CompTIA Cloud Essentials. He is a Microsoft Certified Professional, AWS Solutions Architect and an AWS Cloud Practitioner. Brian is also currently pursuing a M.S. in education from NC State University.