Most discussions of the best, brightest, latest and greatest in information security deal with large institutions with high levels of risk and large sums of money available to spend on countering those risk. At conferences and in journals (including this one), most of the contributors come from government, financial institutions, large manufacturers or (horrors!) consulting. This makes some sense, because the purpose of education and publication is to introduce leading-edge, state-of-the-art practices and technologies to the rest of the world.
Unaffordable Security Measures
And if the conference attendees and journal readers can afford all that stuff, by all means they ought to implement it. But what of those who have small businesses, many of which share the same risk, but not the same staffing or the same-sized checking accounts? Out of necessity, they must make do with the trailing edge—yesterday’s news practices and technologies. These may be pension funds with few employees but billions in assets. Or consider 10-professional accounting firms or medical practices, which have nothing but sensitive personal information in their systems. You who are reading this (wake up!) may or may not be a part of such a small enterprise, but you may wish to consider: What is the minimum acceptable investment that needs to be made for any enterprise?
There might be an explicit security outlay for organizations that have their own information technology, whether on-premises or in a commercial cloud. Those who outsource their IT are paying for security in the fees they pay for services. Even in the smallest business, everyone has a personal computer today, which itself requires security.
There are some items that are clearly unaffordable for these significantly less-than-large enterprises. For example, it is unlikely that they would be able to employ a dedicated manager of information security or risk management. But that does not mean that they regularly review system logs for potential penetrations or to test the efficacy of controls. They cannot audit their vendors’ controls or monitor their networks in real-time to detect possible intrusions or abnormalities. Managers and staff simply get their work done and rely on software and hardware to protect their information resources.
The impractical controls referenced in the previous paragraph were not chosen out of thin air. They were specifically listed in the survey I needed to fill out from one insurer, not to be named, in applying for commercial cyberinsurance.1
There are valid reasons why insurers are reluctant to extend coverage to small organizations—a subject for another day—but the result is that professional liability insurance that incorporates cyberthreats may be unaffordable or impossible for smaller businesses to purchase.
Security at Scale
I have my ideas about what the minimally acceptable security measures might be. I am not the first to consider this topic, and am sure that others may think differently about the matter than I do. (I would welcome correspondence from those who have other opinions.) First, there needs to be some agreement about scale. We are often encouraged to think big; thinking petite is quite a different challenge. Thus, for example, the Canadian government defines small (and medium, to be fair) as “organizations that have less than 500 employees.”2 Sorry, Ottawa, but I am thinking considerably smaller than that. The US government has also set minimum security requirements for federal information and information systems,3 but I doubt that there is any US government agency small enough to be applicable to this discussion. The European Commission does not specify the size of the organizations to which its minimum security standards apply, but in its statement on objectives and positioning, it does say that the general framework is intended to “derive Directorate-General/Department-specific security policies and system specific security plans,”4 which sounds pretty big to me. These august institutions have their perspective on what minimum might be, but I do not think they are addressing the extremely small organizations that I have in mind.
In my experience, the greatest risk to a very small business is the loss of its data, so recoverability is the paramount security requirement.
Minimum Requirements
As I see it, there are four absolutely required investments even the smallest organization needs to make:
- Automated backup and recovery. I would prefer the backups to be stored in a cloud to enable recovery under the widest of circumstances. No, backing up to a thumb drive and storing it in the sock drawer is not enough.5 In my experience, the greatest risk to a very small business is the loss of its data, so recoverability is the paramount security requirement. The cost for cloud backup and recovery systems is low enough that every business can afford it.
- Firewalls. If an organization has no need to access the Internet, it does not need a firewall. But then, I think only hermits in desert caves have no need for the Internet these days. Firewalls are needed between the Internet and personal computers, servers (including those provided by service companies) and internally on routers. In some cases, a firewall is included with a device’s operating system, so no additional purchase is required. Large organizations need to manage their firewalls; the teeny-weeny organizations discussed here just install and forget about them.
- Antimalware protection. We used to talk about antivirus filters, but I think protection against all sorts of malware is more appropriate—though to be honest, most attack software is delivered either via viruses, funky websites or phishing emails.6
- Encryption. There are a number of uses for encryption. I have the protection of sensitive files or entire storage devices in mind. For communication of personal or secret information over wide area networks, public/private key pairs are appropriate, necessitating to a greater or lesser degree some sort of public key infrastructure (PKI). For those with a publicly available website, Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificates are also called for.
Return on Security Investment (ROSI)
Some may wonder what this discussion of a little security has to do with them. (Thank you for reading this far.) For one thing, they may want to start their own small business someday. I submit that establishing an information security baseline, even for large enterprises, has its own value. Perhaps some might add access control, multifactor authentication (MFA) or explicit security policies to my list. Whatever that baseline is, it sets the boundaries for any discussion of the return on security investment (ROSI).7, 8
These minimum requirements do not need justification. The only debate might be about which products and at what cost. Everything else that the information security function might wish to acquire must be shown to provide a level of security commensurate with an elevated level of risk. This implies risk management, information system categorization and classification, compliance requirements, auditability and the entire superstructure of security that larger enterprises need, but which are too costly, time-consuming or just silly for the little businesses addressed here.
Endnotes
1 I lead a boutique consulting firm. Much in this article is drawn from my personal experience.
2 Canadian Centre for Cybersecurity, “Baseline Cyber Security Controls for Small and Medium Organizations,” Government of Canada, 2 February 2020, http://www.cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations
3 National Institute for Standards and Technology (NIST), Federal Information Processing Standards Publication (FIPS Pub) 200, Minimum Security Requirements for Federal Information and Information Systems, USA, 2006, http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf
4 European Commission Publications Office, Information Security Management, OP Minimum Security Requirements, Luxembourg, http://op.europa.eu
5 Though I am a belt, suspenders and a bit-of-string sort of guy, and I do that as well.
6 There is a lot of literature on this subject. A good summary is US State of Michigan Department of Attorney General, “Malware—What Is It and How To Avoid It,” 2023, http://www.michigan.gov/ag/consumer-protection/consumer-alerts/consumer-alerts/id-theft-telemarketing/malware
7 Ross, S.; “Vive le ROI,” Information Systems Control Journal, vol. 2, 2002. This article is no longer available on the Internet. Anyone who wishes to read it is welcome to contact me directly.
8 Ross, S.; “ROSI Scenarios,” Information Systems Control Journal, vol. 3, 2002. This article is no longer available on the Internet. Anyone who wishes to read it is welcome to contact me directly.
STEVEN J. ROSS | CISA, CDPSE, AFBCI, MBCP
Is executive principal of Risk Masters International LLC. He has been writing one of the Journal’s most popular columns since 1998. Ross was inducted into the ISACA® Hall of Fame in 2022. He can be reached at stross@riskmastersintl.com.