What SME's Need to Know About CIS

00:00

Hey, everyone, welcome back to the core. So in the last video we wrapped up our discussion on control number 20 which again was mapping the NUS cybersecurity framework to penetration tests. And red team exercises

00:10

in this body were to talk a little bit about the things that small and medium enterprises need to focus on regarding C I s controls.

00:20

So we're to talk through some of the concerns for the smaller medium enterprise small business owners as well as some basic cost effective solutions that you could implement today and also talking about the preparation of yourself as well as your employees.

00:35

So some of the major concerns for SME is going to be things like data theft on. And then also, what do people do with that data? Once a steal it

00:43

possibly website defacement as well, especially if you're running like any commerce type of site. If that's your business, because if your websites taken over, then you really can't make sales right?

00:54

Other concerns are things like phishing attacks. So maybe you've got certain systems

00:59

and your employees fall for the phishing attack. They download some malware on possibly that's ran somewhere. So locks you out of your systems

01:06

and then also natural disasters or accidents that cause the data loss as well. Because at the end of the day of a tornado hits your bakery, you're unlikely to continue being able to function in your business.

01:19

So some questions we need to ask ourselves. Number one, what's connected. So what things are connected to the network that I'm using in my business

01:26

are there. Ah, things on the WiFi that I don't know about, so have identified things that shouldn't be there.

01:34

What software reusing are we using? Ah, lot of cloud based stuff. Are we having to use custom software? What software do we have on our systems that were interacting with on a day to day basis for the critical business operations?

01:48

Do us as business owners or our employees have a security mindset? Right. So as we're setting up new machines as we're downloading software as we're going about our day, do we focus on security first? Or is that something that we think about after we've already had a data breach,

02:04

also thinking for what kind of sensitive information do you actually have? Many small businesses don't have to worry about things like PC, Idea says. In most cases, because they're not actually processing the credit card payments in storing that data, they're just sending it through 1/3 party like stripe or pay pal or something like that. So or a merchant account. So

02:22

just thinking through, like, what is the actual sensitive data

02:23

you're working with? And then the rolls, Right. So what is everyone's role as we go into our incident response plan? What should people be doing and how do they note what to do?

02:36

So first thing we need to start off with our environment, right? We have to know what we actually have. So we have to understand the value of our data that goes back to sensitivity and understanding. Do we actually have something that somebody else might want?

02:46

So this might be things like financial data, personally identifiable information. So things like a customer, so security number, date of birth, any other type of customer data. So maybe their home address phone number pricing lists that we have. So maybe our competitors are gonna try to steal our pricing list and product information.

03:05

Other i p information. So intellectual property as I mentioned before talking about looking at the wireless network were using and what other devices air on. There are these devices that are authorized a re for some reason, connecting to public WiFi all the time. If so, we might want to reconsider that right and then thinking through what kind of actual hardware and software assets do we have?

03:24

Are we using maybe a laptop and a tablet or mobile device?

03:28

Do we have certain software that we need to download to use as an example? I have a particular software I use for my small business, so there might be certain things that you use that are things you need to know about because there could be vulnerabilities with a software. Or there could be other ways that that's offer could be used against you.

03:47

Some cost effective tools out there for you as a small business owner or things like end map for identifying what kind of assets you have on your network. Spice works, an app locker are good as well networks and open audit.

04:00

And then also, just keep in mind that these aren't all the tools out there, so you can Google search like open source or free tools to do X right

04:10

to identify hardware assets, to identify software assets,

04:14

to scan for vulnerabilities and we'll talk about that in a little bit is well,

04:19

so getting to protecting our assets, we need to first establish a baseline. So

04:25

the number one thing I would say as a small business owner is leverage the things you already have. So many operating systems, like Windows will have built in things you can use. So, for example, like bit locker for your disk encryption.

04:38

Ah, the Microsoft Baseline Security analyzer.

04:41

They'll also have things like Windows Defender in place, But I would also recommend getting some other type of anti Mauer solution. So something like malware bytes, for example, and then enabling multi factor authentication on everything we do if it's available. So Social media accounts that you're using your financials at your bank

04:59

enable multi factor everywhere you go.

05:00

Changing default credentials is the big one. If you're using like a router or other networking device, though, they're going to ship with default credentials like admin admin for the user name and password. So just make sure you're changing those so nobody can take that over

05:15

using encryption. Both, uh, encrypting the data at in transit and at rest wherever possible. Right.

05:23

Using tools like open Voss, which is a vulnerability scanner as well as the qualities browser. Check to see if there's any. See if there's any vulnerabilities in your browser that you're using, and to make sure that you've got the latest version of that browser

05:38

and then you want to prepare your organization. So once you've identify what you have and ways to protect it now you need to prepare everyone in your organization. So number one talking about backups, right? Make sure you back up your information. Depending on the size of your business, that might just be something A simple is backing up your files to Dropbox or Google Drive or

05:57

one drive or something like that, right. Backing him up to the cloud

06:00

you need to think through to contact. So if you are attacked, if somebody is taking over your website, if someone does breach your systems, who do you contact? You may contact the FBI. That might be the first thing you think of. But think about that. The FBI may not actually investigate your case because it's not enough financial impact for a federal level.

06:19

Right? So keep that in mind that you may need to explore local law enforcement or other entities to contact in the event that

06:26

you have something happen, as well as thinking through who I t wise or sub security Wiesel contact. So start getting a list together. If you don't have one of companies, you could reach out to have them fixed the issue for you. If you're not a technical person

06:40

along the same lines, thinking through that incident response plan, right, what are we gonna do once something happens? And we need to have that in place before something actually happens, and then some low cost or free tools that you can use to do the backups Microsoft Backup and restore Apple's time machine, Amanda Network and Bakula is well,

06:59

so in this video what has talked about some of the basic information that a smaller medium enterprise needs to think through? We also talked about some of the cost effective solutions again that those were not all inclusive list. There's a lot more tools out there that you could use, and then we also talked about preparing your organization for any type of incident