SBA Small Business Cybersecurity Guide
The U.S. Small Business Administration (SBA) is helping small businesses better understand cyber threats, common vulnerabilities, and the steps they can take to improve their information security posture. According to the SBA, “Assessing your Business Risk” is the first and most important step small businesses should take to establish a more secure information technology infrastructure. But before diving into Step 1, they offer a helpful 30-minute small business cybersecurity training course [video or pdf] covering the basics.
Small Business Cybersecurity Training
The SBA Cybersecurity Training for Small Businesses course does an excellent job of defining the cybersecurity terms and threats, explaining the importance of employing best practices, teaching businesses to identify the information that should be protected, and introducing the concept of risk management.
The online class explains the three (3) aspects to consider when developing an information security program.
- Confidentiality – limiting data access to only those trained to handle sensitive information
- Integrity – protecting the accuracy and existence of your data
- Availability – making sure your data is always available, quickly and reliably
After the course, you should be ready to look at your own information assets, business processes, supply chain partners, employee actions, IT procedures, and your investor’s risk tolerance.
SBA Cybersecurity Best Practices
The SBA Business Guide for Small Business Cybersecurity lists several information security best practices for small businesses, including the items that your employees and IT team should be implementing.
These best practices include:
- Train your employees
- Safe Internet practices
- Safe email practices
- Safe desktop practices
- Maintaining good cyber hygiene
- Use antivirus software and keep it updated
- Secure your networks
- Use strong passwords
- Implement multifactor authentication
- Protect sensitive data and back up the rest
- Back up your data
- Secure payment processing
- Control physical access
These best practices are a great start to building a culture of cyber awareness. But, as you identify your true risks, you’ll see that more advanced cybersecurity controls, procedures, and policies will be required.
Assess Your Business Risk
Here are the steps that the SBA recommends:
You will quickly realize that your leadership team will need to be actively involved in this project. It is usually best to have an executive champion the initiative.
Establish a Solid Foundation
The results of your risk assessment establish a foundation for your entire information security program. Having an experienced cybersecurity expert involved in the analysis, recommendations, planning, implementation, and documentation process is imperative. If you don’t have internal cybersecurity resources, you may want to reach out to a cybersecurity consultant for assistance. You shouldn’t go to your current IT provider to assess their own security practices. A third-party security assessment will be more valuable.
What is Acceptable Risk?
The SBA online training starts a valuable discussion about risk. The risk assessment process identifies information security risks and plans treatments to remove them. However, removing all possible risk is costly. So, your leadership team (or investors) needs to determine, “How much risk can we live with?” The SBA reminds us that no risk can be completely eliminated. So, it may be best to prioritize your risks by looking at the probability of occurrence and associated consequence (impact to business) of each risk. Once you know which risks exceed your acceptable threshold, you can treat those risks. The Ezentria ComplyWise process uses four risk treatments—mitigate, avoid, transfer, and accept. The SBA recommends cyber insurance for risk that you would like to “share” (transfer).
SBA Recommended Tools
The SBA understands that not every small business can justify paying consultants to secure their information assets, so they provide the following free resources:
- Federal Communications Commission – FCC Planning Tool
- Department of Homeland Security – DHS Cyber Resilience Review (CRR)
- Department of Homeland Security – DHS Cyber Hygiene Vulnerability Scanning
Start with Online Training
The SBA Cybersecurity Training for Small Businesses is a great place to start learning. You may even want a few members of your team to take the 30-minute course to brush up on the basic principles. Then visit the SBA Business Guide for Small Business Cybersecurity for more details about their recommended best practices. Discuss what you learn with your employees and IT team (or vendor), it will help you understand your current level of cybersecurity awareness and readiness.
If you would like to learn more about cybersecurity awareness training for your employees or implementing a professional security risk assessment, please reach out to us.
Frequently Asked Questions
Where can I learn more about small business cybersecurity?
The Small Business Administration (SBA) publishes a business guide for small business cybersecurity. The webpage defines common threats, provide tools for assessing your business risk, and offers cybersecurity best practices that small businesses can implement quickly.
Where can I find free small business cybersecurity training?
The Small Business Administration (SBA) Learning Center offers a 30-minute self-paced training course called “Cybersecurity for Small Business.” The video and script are available on-demand. Participants will learn cybersecurity definitions, the importance of security information using best practices, identifying the types of information that should be secured, identifying types of cyber threats, the definition of risk management, and numerous best practices for guarding against cyber threats. Ezentria offers custom cybersecurity awareness and certification training for a fee.
What is cybersecurity risk treatment?
When you identify information security risks that exceed your acceptable level of risk, you will need to apply one or more risk treatment options. These options can have various names, but they should align to these four: Mitigate (reduce the risk), Avoid (stop the activity), Transfer (cyber insurance or share the risk), and Accept (assume the risk).
What are the steps to a security risk assessment?
For small businesses that would like to “self-assess” their information security risk, the Small Business Administration (SBA) recommends a few free tools and these four steps:
- Conduct an analysis of information security needs
- Assess the cost of losing your information
- Create a plan to protect your information
- Implement your plan through policies, training, and hardware and software controls
For everyone else, hiring a cybersecurity consultant to perform a professional risk assessment is likely a better option. Experience plays a significant role in the quality and thoroughness of the assessment.
What are some basic Cybersecurity Best Practices?
The Small Business Administration (SBA) identifies three primary cybersecurity best practices. The first is to “train your employees”; the second is “maintain good cyber hygiene”; and the third is “protect sensitive data and back up the rest”. There are specific recommendations for each of these best practices listed on the SBA Small Business Cybersecurity website.
Share this Post with Your Social Media Followers (use the icons on the left or the “Share This” bar on mobile).
Recent Blog Posts
BlogCISA Cyber EssentialsThe United States Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) recommends that small business leaders develop an actionable understanding of cybersecurity basics and best practices. They have...
Ezentria ComplyWise Helps Small and Midsize Businesses Achieve and Maintain Information Security Compliance
BlogProven 14-Step Process Enables Companies with Limited Internal Information Security Resources to Compete for New BusinessNASHUA, NH — September 16, 2019 — Ezentria, Inc. officially launches Ezentria ComplyWise to help companies with limited internal information...