Information Security for Small and Midsized Businesses
()
About this ebook
Small and midsized businesses (SMBs) are outgunned by cybercriminal and activist organizations focused on stealing anything they can leverage to obtain financial gains, perform corporate espionage, further political agendas, and pursue other objectives. Every orga
Greg Schaffer
Greg Schaffer participated in a small Christian-based group ministry in 2011 and became a facilitator with the ministry to help others find their direction toward a purposeful life. His firsthand experiences of lives transformed through such healing groups led him to write Leaving Darkness, hoping the tale of transformation through God’s grace may encourage those lost in their own darkness to reach out for help. The author of two previous novels, Greg lives in Franklin, Tennessee, with his wife and three rescue dogs.
Read more from Greg Schaffer
Childhood Rating: 0 out of 5 stars0 ratingsForgiveness Rating: 0 out of 5 stars0 ratingsLeaving Darkness Rating: 0 out of 5 stars0 ratingsFrom the Loft: Tales of a Former City Dweller Living on a Horse Farm Rating: 0 out of 5 stars0 ratingsSummer's Drowning Rating: 0 out of 5 stars0 ratings
Related to Information Security for Small and Midsized Businesses
Related ebooks
Information Security for Small and Midsized Businesses Rating: 0 out of 5 stars0 ratingsHow Cyber Security Can Protect Your Business: A guide for all stakeholders Rating: 0 out of 5 stars0 ratingsThe CISO Perspective: Understand the importance of the CISO in the cyber threat landscape Rating: 0 out of 5 stars0 ratings7 Rules To Become Exceptional At Cyber Security Rating: 5 out of 5 stars5/5Building an Effective Cybersecurity Program, 2nd Edition Rating: 0 out of 5 stars0 ratingsThe Future and Opportunities of Cybersecurity in the Workforce Rating: 3 out of 5 stars3/5A Practitioner's Guide to Adapting the NIST Cybersecurity Framework Rating: 0 out of 5 stars0 ratingsOnce more unto the Breach: Managing information security in an uncertain world Rating: 0 out of 5 stars0 ratingsProtecting Your Assets: A Cybersecurity Guide for Small Businesses Rating: 0 out of 5 stars0 ratingsCybersecurity Essentials for Small Businesses: Safeguarding Your Digital Assets Rating: 0 out of 5 stars0 ratingsFire Doesn’t Innovate: The Executive’s Practical Guide to Thriving in the Face of Evolving Cyber Risks Rating: 0 out of 5 stars0 ratingsZero Trust and Third-Party Risk: Reduce the Blast Radius Rating: 0 out of 5 stars0 ratingsA Best Practices Guide for Comprehensive Employee Awareness Programs Rating: 0 out of 5 stars0 ratingsBeginner's Guide to Information Security Rating: 0 out of 5 stars0 ratingsCan. Trust. Will.: Hiring for the Human Element in the New Age of Cybersecurity Rating: 5 out of 5 stars5/5Mergers & Acquisitions Cybersecurity: The Framework For Maximizing Value Rating: 0 out of 5 stars0 ratings8 Steps to Better Security: A Simple Cyber Resilience Guide for Business Rating: 0 out of 5 stars0 ratingsCYBERSECURITY FOR BEGINNERS: A Step-by-Step Guide to Protecting Your Digital World (2024 Crash Course) Rating: 0 out of 5 stars0 ratingsCompetitive Intelligence: Fast, Cheap & Ethical Rating: 5 out of 5 stars5/5Cyber Intelligence-Driven Risk: How to Build and Use Cyber Intelligence for Business Risk Decisions Rating: 0 out of 5 stars0 ratingsThe Human Fix to Human Risk: 5 Steps to Fostering a Culture of Cyber Security Awareness Rating: 0 out of 5 stars0 ratingsCyber Security and Business Analysis: An essential guide to secure and robust systems Rating: 0 out of 5 stars0 ratingsThe Smartest Person in the Room: The Root Cause and New Solution for Cybersecurity Rating: 0 out of 5 stars0 ratingsInformation Security A Practical Guide: Bridging the gap between IT and management Rating: 5 out of 5 stars5/5Cybersecurity Career Guide Rating: 0 out of 5 stars0 ratingsFundamentals of Adopting the NIST Cybersecurity Framework Rating: 0 out of 5 stars0 ratingsNine Steps to Success: An ISO27001:2013 Implementation Overview Rating: 1 out of 5 stars1/5
Technology & Engineering For You
Vanderbilt: The Rise and Fall of an American Dynasty Rating: 4 out of 5 stars4/5The Fast Track to Your Technician Class Ham Radio License: For Exams July 1, 2022 - June 30, 2026 Rating: 5 out of 5 stars5/5The Art of War Rating: 4 out of 5 stars4/5The Art of War Rating: 4 out of 5 stars4/5A Night to Remember: The Sinking of the Titanic Rating: 4 out of 5 stars4/5The Invisible Rainbow: A History of Electricity and Life Rating: 4 out of 5 stars4/5Selfie: How We Became So Self-Obsessed and What It's Doing to Us Rating: 4 out of 5 stars4/5Death in Mud Lick: A Coal Country Fight against the Drug Companies That Delivered the Opioid Epidemic Rating: 4 out of 5 stars4/5Longitude: The True Story of a Lone Genius Who Solved the Greatest Scientific Problem of His Time Rating: 4 out of 5 stars4/5The Big Book of Hacks: 264 Amazing DIY Tech Projects Rating: 4 out of 5 stars4/5The Big Book of Maker Skills: Tools & Techniques for Building Great Tech Projects Rating: 4 out of 5 stars4/5The 48 Laws of Power in Practice: The 3 Most Powerful Laws & The 4 Indispensable Power Principles Rating: 5 out of 5 stars5/5The Systems Thinker: Essential Thinking Skills For Solving Problems, Managing Chaos, Rating: 4 out of 5 stars4/5The Wuhan Cover-Up: And the Terrifying Bioweapons Arms Race Rating: 5 out of 5 stars5/5Ultralearning: Master Hard Skills, Outsmart the Competition, and Accelerate Your Career Rating: 4 out of 5 stars4/5The CIA Lockpicking Manual Rating: 5 out of 5 stars5/580/20 Principle: The Secret to Working Less and Making More Rating: 5 out of 5 stars5/5How to Disappear and Live Off the Grid: A CIA Insider's Guide Rating: 0 out of 5 stars0 ratingsMy Inventions: The Autobiography of Nikola Tesla Rating: 4 out of 5 stars4/5No Nonsense Technician Class License Study Guide: for Tests Given Between July 2018 and June 2022 Rating: 5 out of 5 stars5/5Broken Money: Why Our Financial System is Failing Us and How We Can Make it Better Rating: 5 out of 5 stars5/5The ChatGPT Millionaire Handbook: Make Money Online With the Power of AI Technology Rating: 4 out of 5 stars4/5Young Men and Fire Rating: 4 out of 5 stars4/5Artificial Intelligence: A Guide for Thinking Humans Rating: 4 out of 5 stars4/5The Homeowner's DIY Guide to Electrical Wiring Rating: 5 out of 5 stars5/5Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future Rating: 4 out of 5 stars4/5Logic Pro X For Dummies Rating: 0 out of 5 stars0 ratings
Reviews for Information Security for Small and Midsized Businesses
0 ratings0 reviews
Book preview
Information Security for Small and Midsized Businesses - Greg Schaffer
Introduction
Small and midsized businesses (SMBs) have the same information security concerns and needs as large organizations yet are often hampered by resource limitations. Most large companies have a Chief Information Security Officer (CISO) to lead and manage information security programs, initiatives, and risks. However, the cost of retaining a full-time CISO is often prohibitive for SMBs.
This gap has led to the rise of the virtual CISO, or vCISO role. Sometimes referred to as a fractional CISO, a vCISO is a part-time consultant who works virtually (remotely) as opposed to in the office. Because of the high demand for CISO experience, the virtual nature keeps the cost of engaging a vCISO relatively low. Yet SMBs can dramatically improve their information security risk management posture without a virtual CISO, with the right information and mindset.
This book aims to help get your small or midsized business there. From my firm’s numerous client engagements, we have noticed SMBs share many similar information security knowledge gaps. Certain question patterns emerged—What's the difference between a SOC1 and a SOC2?
What does a high vulnerability mean?
How do we know our partners are secure?
How can we know where our security gaps are?
What is the best framework to align to?
¹ These are some of the concerns we field while building and managing an effective information security program.
Think of this work, a result of discussing those common needs, as a pocket information security risk management consultant. It is my hope that, by collating and presenting the most significant concerns to SMB information security, this publication can help your SMB begin or continue your journey to a more secure environment. Effective information security risk reduction does not need to be cost prohibitive. Indeed, it works best when integrated with all business processes.
I have striven to present all topics in plain English, focusing more on the business needs, rather than using giga-mumbo-jumbo
terminology, to paraphrase an early career mentor of mine. That is key, because at its core information security is two things—a business issue, and risk management.
My goal is to provide a simple yet powerful resource to you, the SMB executive, so you may be able to make risk-informed decisions, with or without a virtual CISO. I have organized this publication in a somewhat cohesive order, so subsequent chapters build off the previous, yet each is kept independent enough to allow this to also be used as a reference. In other words, you may choose to read it sequentially or by chapter based on topical interests (or both).
Security is everyone's responsibility. Those are not just words; they are a truth in business that if not heeded can lead to losses and even failure. Don't be that business!
Third Edition Notes
The first edition was an eBook, designed as a lead magnet for our website (enter your email address and download this free publication), and was limited in content. The second edition, released in 2021, greatly expanded the material and was offered as a print edition for the first time.
The feedback on the second edition was enormously positive. For example, at one conference in 2022, a keynote speaker held up the second edition and said that this was one of the best, to-the-point guides regarding information security for small and midsized businesses he had ever read. That sort of feedback, coupled with my passion and calling to help SMBs, prompted me to work on a third edition that is approximately 50 percent larger than the previous.
I have checked all the links in this document for currency and adjusted where needed. I believe a well-referenced document provides value, yet the internet is never static. Therefore, I apologize in advance for any broken links. My suggestion is to search the footnoted site for the referenced article or resource. Often website overhauls keep the same documentation but change URLs, creating dead links.
I will continue to work on subsequent edition updates as time permits and am always looking to improve this work. If you have suggestions for content, please let me know.
About the Author
I entered the virtual CISO realm in 2017 by choice. My calling was to do more with my talents, birthed in the numerous stories of large-company breaches. I think the Equifax breach may have been the tipping point. These huge organizations had the resources and, most of the time, the leadership to prevent breaches, and yet were still compromised. What about the small and midsized businesses?
This was indeed a calling to service, one that I initially resisted.² I have held a job constantly since my teens, had never been fired or laid off, and only left a full-time position after securing the next. I craved the comfort and security that only a full-time job could provide. However, growth is often more pronounced when comfort is left behind.
Thus, in 2017, I launched the consulting firm vCISO Services, LLC³ with the mission of providing quality experience to SMBs to help prevent losses due to information security weaknesses. All our client engagements are led by an experienced CISO, and all our supporting resources have at least five years of experience in the field. With that baseline, SMBs are confident that they receive quality experience akin to what big corporations employ.
I hope that my over thirty years of experience in information technology and information security will help SMBs improve their information security posture. Indeed, I have expanded efforts to shed light on SMB information security risks and ways to address them, including a weekly podcast (The Virtual CISO Moment), conference presentations, and, of course, this book. This is my focus at this stage in my career. I hope you find value in this book.
Acknowledgements
Information security is a discipline that should not be practiced in a silo. As part of its nature, collaboration on threat intel and best approaches is necessary to arrive at the best approaches to manage risk.
For the third edition, I had the good fortune of working with several volunteer experts in information security. They offered suggestions from typos and grammar to complex issues within information security. Their input made this a substantially better product than I could have accomplished on my own. Specifically, I’d like to thank the following amazing people:
Heather Noggle, who provided both relevant industry knowledge and significant writing advice. I will forever thank, or blame, her for understanding the difference between less
and fewer.
Peter Gregory, who not only added valuable content, but also provided author advice, both directly and via his excellent book The Art of Writing Technical Books: The Tools, Techniques, and Lifestyle of a Published Author.
Michael Cole, who provided welcome pushback on several sections, particularly the final one