Five Cybersecurity Management Concepts for Small Organizations
For small organizations, managing cybersecurity risk can be a daunting challenge, especially for teams made up of predominantly non-technical staff members.
At LMG, we recognize that many organizations we assist are not in the business of technology but have critical information systems and data they must protect. They have a strong need for cybersecurity management concepts in order to enable their business activities and ambitions, but limited resources available to implement security steps.
Some organizations may have an IT staff who own IT responsibilities, and some bring in the outside support of managed service providers (MSPs) and other outside consultants. Regardless of team structure, larger organizations often have an IT department and a separate Information Security department that is tasked with overseeing the security of IT solutions. This separation of duties, among other benefits, serves in keeping the two groups honest and free of conflicts of interest.
Smaller organizations, without the benefit of a separate information security function, often rely on the expertise of trusted technical advisors like MSPs, or in the event they have internal IT staff, they will look to these team members to provide information security guidance. In this case, the same people tasked with keeping systems available are also placed in the position of assuring the security of these same systems. This is not only a potential conflict of interest, but also potentially outside of their expertise and capabilities.
For this reason, I developed the following five cybersecurity management concepts for small organizations.
1. Someone has to own cybersecurity. There is really no getting around this. Assign the role of security officer to the most appropriate team member. This individual does not need to know it all, of course, but they do need to have a grasp of cybersecurity management concepts and be committed to owning the cybersecurity responsibility for the organization. The security officer will be in charge of:
- Understanding the overall information security context of the organization
- Maintaining knowledge of the organization’s data, systems, software, users and technical controls
- Developing IT and information security-related policies and procedures
- Managing the security of IT partner and vendor relationships
- Ensuring staff security awareness and training
I know this sounds like a lot of responsibility, but this does not mean the security officer has to do it all alone—they primarily need to own the responsibility. They will be working with the team members, partners and vendors that the organization has historically worked with, but through a more specific lens focused on ensuring the security of each of the component pieces that make up the whole. Essentially, the security officer is going to provide the additional security scrutiny that the organization needs and be in a position to lobby for the procurement of additional security-related products and services as needed to perform these duties.
2. Keep it simple. Security is complex by nature, so one of the most important cybersecurity management concepts is that the more you can simplify your data, systems, and processes in general, the better off you will be in your overall security management. Here are some areas to consider:
- Avoid giving too much IT privilege to any one user or vendor. Separation of duties is very important. Don’t provide any vendor unfettered access into your environment: if necessary, provide temporary access, always monitor and log this access, and ensure temporary access is always revoked once work is completed.
- Classify your data (public, internal-only, confidential, and restricted) and the systems that store it as part of a formal policy. The more sensitive the data is that is being stored in a given system, the better technical controls it requires to protect it. All information is not created equal. By classifying your data and systems appropriately you can better ensure that you have the right level of controls in place to protect it. Further, data classification is important for user awareness and data handling training.
- Know your systems. Keep an up-to-date IT asset inventory. This is very important. It should include hardware such as servers, network equipment, workstations, laptops, and cloud infrastructure. An inventory of software, and the systems they reside on, should also be maintained, including for SaaS applications.
- Keep systems up-to-date and patched. You should also perform vulnerability scans regularly and remediate any moderate or higher findings promptly.
Again, I know this sounds like a lot, but use the resources at your disposal to get to the bottom of these items and you will sleep better at night.
3. Access controls are your friend. Keep a close eye on user access throughout the organization. Here are some areas to monitor:
- Develop and maintain a strong password policy and ensure that all systems in use abide by it, whether on premise or in the cloud (e.g., SaaS, PaaS and IaaS). At LMG, we recommend minimum password length requirements for regular users be at least 16 characters and 25 or more characters for privileged accounts.
- Protect externally available login portals with Multi-Factor Authentication (MFA) for all users (don’t forget SaaS applications).
- Regularly audit user accounts and ensure appropriate onboarding and offboarding procedures are implemented. Users should be provided cybersecurity training as soon as they are onboarded and provided with account credentials. User accounts should be disabled as soon as an employee leaves the organization (for all accounts they had access to during the course of their work, including cloud accounts).
4. Work with vetted vendors and partners you trust. This is easier said than done but putting forth the best possible effort in this area will pay dividends. Take vendor vetting seriously, especially for any vendor that stores or may have access to sensitive organizational data. If your MSP is providing IT services, have another firm annually audit and security test their solutions and require prompt remediation of findings. Track findings from regular vulnerability scans and annual technical testing and the corresponding remediations that are performed.
5. Formalize your policies and procedures. Often, smaller organizations don’t have formal policies and procedures in place. Start one policy at a time using the above cybersecurity management concepts as a guide and develop IT and information security policies for your organization. This will provide clarity to the team members, administrators and managers and support the ongoing development of the organization’s security program.
Cybersecurity for small organizations comes with a range of unique obstacles that can tax small teams. If you need assistance in implementing cybersecurity management concepts and getting your cybersecurity program development off the ground, LMG can help by performing a Security Fundamentals Security Controls assessment to establish a baseline of where your program stands with prioritized recommendations that will shore up key gap areas. Contact us if we can help.