SBA Small Business Cybersecurity Guide

February 13, 2020 | Articles

SBA Cybersecurity

SBA Cybersecurity

The U.S. Small Business Administration (SBA) is helping small businesses better understand cyber threats, common vulnerabilities, and the steps they can take to improve their information security posture. According to the SBA, “Assessing your Business Risk” is the first and most important step small businesses should take to establish a more secure information technology infrastructure. But before diving into Step 1, they offer a helpful 30-minute small business cybersecurity training course [video or pdf] covering the basics.

Small Business Cybersecurity Training

The SBA Cybersecurity Training for Small Businesses course does an excellent job of defining the cybersecurity terms and threats, explaining the importance of employing best practices, teaching businesses to identify the information that should be protected, and introducing the concept of risk management.

The online class explains the three (3) aspects to consider when developing an information security program.

They are:

  • Confidentiality – limiting data access to only those trained to handle sensitive information
  • Integrity – protecting the accuracy and existence of your data
  • Availability – making sure your data is always available, quickly and reliably

After the course, you should be ready to look at your own information assets, business processes, supply chain partners, employee actions, IT procedures, and your investor’s risk tolerance. 

SBA Cybersecurity Best Practices

The SBA Business Guide for Small Business Cybersecurity lists several information security best practices for small businesses, including the items that your employees and IT team should be implementing.

These best practices include:

  1. Train your employees
    • Safe Internet practices
    • Safe email practices
    • Safe desktop practices
  2. Maintaining good cyber hygiene
    • Use antivirus software and keep it updated
    • Secure your networks
    • Use strong passwords
    • Implement multifactor authentication
  3. Protect sensitive data and back up the rest
    • Back up your data
    • Secure payment processing
    • Control physical access

These best practices are a great start to building a culture of cyber awareness. But, as you identify your true risks, you’ll see that more advanced cybersecurity controls, procedures, and policies will be required.

Assess Your Business Risk

The SBA says there is no substitute for dedicated IT security support, whether internal or external (consultant). They also recommend a cybersecurity risk assessment to identify vulnerabilities and valuable information assets. The result of an assessment usually takes the form of recommendations that will help a small business build a corrective action plan.

Here are the steps that the SBA recommends:

Step 1. Conduct an analysis of information security needs
Step 2. Assess the cost of losing your information
Step 3. Create a plan to protect your information
Step 4. Implement your plan through policies, training, and hardware and software controls

You will quickly realize that your leadership team will need to be actively involved in this project. It is usually best to have an executive champion the initiative.

Establish a Solid Foundation

The results of your risk assessment establish a foundation for your entire information security program. Having an experienced cybersecurity expert involved in the analysis, recommendations, planning, implementation, and documentation process is imperative. If you don’t have internal cybersecurity resources, you may want to reach out to a cybersecurity consultant for assistance. You shouldn’t go to your current IT provider to assess their own security practices. A third-party security assessment will be more valuable.

What is Acceptable Risk?

The SBA online training starts a valuable discussion about risk. The risk assessment process identifies information security risks and plans treatments to remove them. However, removing all possible risk is costly. So, your leadership team (or investors) needs to determine, “How much risk can we live with?” The SBA reminds us that no risk can be completely eliminated. So, it may be best to prioritize your risks by looking at the probability of occurrence and associated consequence (impact to business) of each risk. Once you know which risks exceed your acceptable threshold, you can treat those risks. The Ezentria ComplyWise process uses four risk treatments—mitigate, avoid, transfer, and accept. The SBA recommends cyber insurance for risk that you would like to “share” (transfer).

SBA Recommended Tools

The SBA understands that not every small business can justify paying consultants to secure their information assets, so they provide the following free resources:

Note: Ezentria has not used these specific tools, but we did notice that when downloading some of the DHS assets that it is best to right-click on the pdf link and select “save link as” to save the document locally. Then open the .pdf in a desktop version of Adobe Acrobat Reader. It seems that some of the features of the interactive documents don’t work in a browser.

Start with Online Training

The SBA Cybersecurity Training for Small Businesses is a great place to start learning. You may even want a few members of your team to take the 30-minute course to brush up on the basic principles. Then visit the SBA Business Guide for Small Business Cybersecurity for more details about their recommended best practices. Discuss what you learn with your employees and IT team (or vendor), it will help you understand your current level of cybersecurity awareness and readiness.

If you would like to learn more about cybersecurity awareness training for your employees or implementing a professional security risk assessment, please reach out to us.

Frequently Asked Questions

Where can I learn more about small business cybersecurity?

The Small Business Administration (SBA) publishes a business guide for small business cybersecurity. The webpage defines common threats, provide tools for assessing your business risk, and offers cybersecurity best practices that small businesses can implement quickly.

Where can I find free small business cybersecurity training?

The Small Business Administration (SBA) Learning Center offers a 30-minute self-paced training course called “Cybersecurity for Small Business.” The video and script are available on-demand. Participants will learn cybersecurity definitions, the importance of security information using best practices, identifying the types of information that should be secured, identifying types of cyber threats, the definition of risk management, and numerous best practices for guarding against cyber threats. Ezentria offers custom cybersecurity awareness and certification training for a fee.

What is cybersecurity risk treatment?

When you identify information security risks that exceed your acceptable level of risk, you will need to apply one or more risk treatment options. These options can have various names, but they should align to these four: Mitigate (reduce the risk), Avoid (stop the activity), Transfer (cyber insurance or share the risk), and Accept (assume the risk).

What are the steps to a security risk assessment?

For small businesses that would like to “self-assess” their information security risk, the Small Business Administration (SBA) recommends a few free tools and these four steps:

  1. Conduct an analysis of information security needs
  2. Assess the cost of losing your information
  3. Create a plan to protect your information
  4. Implement your plan through policies, training, and hardware and software controls

For everyone else, hiring a cybersecurity consultant to perform a professional risk assessment is likely a better option. Experience plays a significant role in the quality and thoroughness of the assessment.

What are some basic Cybersecurity Best Practices?

The Small Business Administration (SBA) identifies three primary cybersecurity best practices. The first is to “train your employees”; the second is “maintain good cyber hygiene”; and the third is “protect sensitive data and back up the rest”. There are specific recommendations for each of these best practices listed on the SBA Small Business Cybersecurity website.

Share this Post with Your Social Media Followers (use the icons on the left or the “Share This” bar on mobile).

Recent Blog Posts

Pin It on Pinterest

Share This