Home >> Archive >> The offense always wins, and the defense always loses

How to Start Putting Cybersecurity in Your Business

February 8, 2024 · Issue #3

Today, in 5 minutes or less, you'll learn:

• Four practical options to kickstart the implementation of cybersecurity in your business
• Should you implement recommendations that the Internet says are important?
• Should you have a risk assessment conducted?
• Is following established standards or guidelines the way to go?
• What about a combination of these?

---

So, you want to start putting some cybersecurity in your business. Great!

So, where the heck do you begin?

---

Four practical options to kickstart the implementation of cybersecurity in your business

As we see it, there are three practical options to kickstart the implementation of cybersecurity in your business:

• Implementing recommendations that the Internet says are important - implementing what you read on blogs and in news articles.
• Conducting a Risk Assessment - Hiring a cybersecurity firm to complete an assessment of the cyber risk present in your business.
• Following Established Standards or Guidelines - Evaluate your business against one of the many established standards or guidelines documents and implement all the gaps you find.

let's dive into these options in more detail.

---

Option 1: Implement recommendations that the Internet says are important

The Internet is a vast resource of information, and when it comes to cybersecurity, there are numerous best practices recommended by experts, vendors, fellow business owners, and others. As a business owner, you can start by researching and implementing measures found in blog posts and articles to enhance your organization's security posture.

Why you'd want to go this way

• Accessibility and Affordability: Internet-recommended best practices are easily accessible and often cost-effective, making them a suitable starting point for small to medium-sized businesses with limited resources.
• Immediate Implementation: You can implement these measures promptly without needing specialized expertise or external assistance.
• Community Support: There is a vast online community sharing insights and experiences related to best practices, allowing businesses to stay informed about emerging threats.

Why you wouldn't want to go this way

• Generic Approach: Internet-recommended best practices may not be tailored to your business's specific needs, leading to a generic cybersecurity approach that might only cover some potential risks.
• Limited Depth: The online advice may need more depth for comprehensive protection, leaving gaps in your cybersecurity strategy.
• Unknown Source: Because anyone can put anything on the Internet, there's no guarantee that the best practices articles you find were written by a cybersecurity analyst or cover everything your business needs.

---

Option 2: Conduct a Risk Assessment

A risk assessment is a proactive approach to understanding your business's unique cybersecurity risks. You can develop a tailored cybersecurity strategy by identifying potential threats and vulnerabilities.

Why you'd want to go this way

• Tailored Security Strategy: A risk assessment provides a customized cybersecurity strategy based on the specific risks and vulnerabilities unique to your business.
• Professional Guidance: Hiring a cybersecurity professional ensures a thorough evaluation, leveraging expertise to effectively identify and mitigate potential risks.
• Long-Term Value: Investing in a risk assessment can offer long-term value by creating a foundation for ongoing cybersecurity improvements and adjustments.

Why you wouldn't want to go this way

• Cost: Conducting a comprehensive risk assessment can be expensive, especially for smaller businesses with budget constraints.
• Time-Consuming: Conducting a thorough risk assessment may take time, potentially delaying the implementation of immediate security measures.
• Limited Comprehensiveness: Risk assessments are meant to reveal existing risks and provide recommendations to mitigate those risks. They will provide a foundation, though their recommendations won't necessarily be an exhaustive list of comprehensive security protections to protect your business now and into the future.

Here's how to get started with a risk assessment

• Hire a Professional: Engage with a cybersecurity consultant or firm to conduct a thorough risk assessment specific to your business.
• Identify Assets and Threats: Identify and categorize your business assets and assess potential threats and vulnerabilities associated with each.
• Risk Analysis: Evaluate the likelihood and impact of each identified risk, prioritizing them based on the potential harm they could cause to your business.
• Develop a Mitigation Plan: Develop a mitigation plan that outlines specific measures to address and reduce the identified risks.

---

Option 3: Follow Established Standards or Guidelines

Adopting recognized cybersecurity standards or guidelines provides a structured and proven framework for securing your business.

Some widely accepted standards include

• ISO 27001: Possibly the world's most known standard for cybersecurity.
• NIST Cybersecurity Framework: A set of guidelines organized into categories to identify, protect, detect, respond to, and recover from cyber threats.
• CIS Critical Security Controls: Implement the Center for Internet Security's Critical Security Controls, a set of best practices designed to enhance cybersecurity posture.

Some countries even have their own standards and guidelines for small and medium organizations, such as:

• Baseline cyber security controls for small and medium organizations (Canada)
• Small Business Guide: Cyber Security (UK)

Why you'd want to go this way

• Proven Framework: Established standards provide a proven framework for cybersecurity, ensuring a structured and comprehensive approach to securing your business.
• Regulatory Compliance: Following recognized standards may assist in meeting regulatory compliance requirements, enhancing the credibility of your business.
• Industry Recognition: Adhering to widely accepted standards may enhance your business's reputation, demonstrating a commitment to cybersecurity best practices.

Why you wouldn't want to go this way

• Resource Intensive: Implementing established standards can require time, effort, and financial investment.
• Rigidity: Some businesses may find established standards rigid and challenging to adapt to their specific needs, potentially resulting in gaps in cybersecurity coverage.
• Can lead to less security: There is a saying in the industry that you can be secure but not compliant and compliant but not secure. Remember that when you are following any standard or guideline, you have to ensure you're implementing the recommendations correctly and are considering what each recommendation means to your business instead of following recommendations blindly. Many standards include periodic risk assessments, and this is what they're for - to ensure your implementation of the standard recommendations or deviation from them hasn't added any risk to your business.

Here's how to get started with a standard or guideline

• Choose a Standard or Guideline: Choose the standard or guideline your business will comply with.
• Identify Gaps: Identify which areas of the standard or guideline your business complies with and which areas are gaps.
• Develop A Plan: Develop a plan that outlines specific measures to address and close the gaps

---

Option 4: Combine a Risk Assessment and Following Established Standards or guidelines

Why you'd want to go this way

A final option is combining a risk assessment and following an established standard or guideline.

• Immediate & Long-Term Benefits: You get the benefits of immediately identifying existing risk in your business and remediating it, along with building a plan for the future
• Risk Assessments Are a Standard Requirement: Many standards require routine risk assessments. In starting with one, you'll immediately be able to check an item from the standard gaps you have.
• Risk Assessments Can Help Prioritize: When you start looking at how compliant your business is to a standard, the next question is: what do we start with? Risk assessments can help prioritize, as some of your compliance gaps will line up with risk assessment recommendations.

Why you wouldn't want to go this way

• Cost: Conducting a risk assessment can be expensive, and so can dedicating the resources to implement the recommendations of a standard or guideline, especially for smaller businesses with budget constraints.
• Time-Consuming: Conducting a thorough risk assessment and implementing the recommendation of a standard or guideline takes time, taking time away from other tasks in your business.

---

To end

Securing your business against cyber threats is a continuous process that requires diligence and commitment. Whether you start with internet-recommended best practices, conduct a risk assessment, follow established standards, or combine them, it's crucial to consider the pros and cons of each approach. By carefully evaluating your business's unique requirements, you can develop a cybersecurity strategy that protects your organization from threats and aligns with your long-term goals and resources.