Information Security for Small and Midsized Businesses

By Greg Schaffer

Small and midsized businesses (SMBs) are outgunned by cybercriminal and activist organizations focused on stealing anything they can leverage to obtain financial gains, perform corporate espionage, further political agendas, and pursue other objectives. Every orga

• Language: English
• Publisher: Second Chance Publishing
• Release date: Jun 27, 2024
• ISBN: 9781733066853

Greg Schaffer

Greg Schaffer participated in a small Christian-based group ministry in 2011 and became a facilitator with the ministry to help others find their direction toward a purposeful life. His firsthand experiences of lives transformed through such healing groups led him to write Leaving Darkness, hoping the tale of transformation through God’s grace may encourage those lost in their own darkness to reach out for help. The author of two previous novels, Greg lives in Franklin, Tennessee, with his wife and three rescue dogs.

Book preview

Introduction

Small and midsized businesses (SMBs) have the same information security concerns and needs as large organizations yet are often hampered by resource limitations. Most large companies have a Chief Information Security Officer (CISO) to lead and manage information security programs, initiatives, and risks. However, the cost of retaining a full-time CISO is often prohibitive for SMBs.

This gap has led to the rise of the virtual CISO, or vCISO role. Sometimes referred to as a fractional CISO, a vCISO is a part-time consultant who works virtually (remotely) as opposed to in the office. Because of the high demand for CISO experience, the virtual nature keeps the cost of engaging a vCISO relatively low. Yet SMBs can dramatically improve their information security risk management posture without a virtual CISO, with the right information and mindset.

This book aims to help get your small or midsized business there. From my firm’s numerous client engagements, we have noticed SMBs share many similar information security knowledge gaps. Certain question patterns emerged—What's the difference between a SOC1 and a SOC2? What does a high vulnerability mean? How do we know our partners are secure? How can we know where our security gaps are? What is the best framework to align to?¹ These are some of the concerns we field while building and managing an effective information security program.

Think of this work, a result of discussing those common needs, as a pocket information security risk management consultant. It is my hope that, by collating and presenting the most significant concerns to SMB information security, this publication can help your SMB begin or continue your journey to a more secure environment. Effective information security risk reduction does not need to be cost prohibitive. Indeed, it works best when integrated with all business processes.

I have striven to present all topics in plain English, focusing more on the business needs, rather than using giga-mumbo-jumbo terminology, to paraphrase an early career mentor of mine. That is key, because at its core information security is two things—a business issue, and risk management.

My goal is to provide a simple yet powerful resource to you, the SMB executive, so you may be able to make risk-informed decisions, with or without a virtual CISO. I have organized this publication in a somewhat cohesive order, so subsequent chapters build off the previous, yet each is kept independent enough to allow this to also be used as a reference. In other words, you may choose to read it sequentially or by chapter based on topical interests (or both).

Security is everyone's responsibility. Those are not just words; they are a truth in business that if not heeded can lead to losses and even failure. Don't be that business!

Third Edition Notes

The first edition was an eBook, designed as a lead magnet for our website (enter your email address and download this free publication), and was limited in content. The second edition, released in 2021, greatly expanded the material and was offered as a print edition for the first time.

The feedback on the second edition was enormously positive. For example, at one conference in 2022, a keynote speaker held up the second edition and said that this was one of the best, to-the-point guides regarding information security for small and midsized businesses he had ever read. That sort of feedback, coupled with my passion and calling to help SMBs, prompted me to work on a third edition that is approximately 50 percent larger than the previous.

I have checked all the links in this document for currency and adjusted where needed. I believe a well-referenced document provides value, yet the internet is never static. Therefore, I apologize in advance for any broken links. My suggestion is to search the footnoted site for the referenced article or resource. Often website overhauls keep the same documentation but change URLs, creating dead links.

I will continue to work on subsequent edition updates as time permits and am always looking to improve this work. If you have suggestions for content, please let me know.

About the Author

I entered the virtual CISO realm in 2017 by choice. My calling was to do more with my talents, birthed in the numerous stories of large-company breaches. I think the Equifax breach may have been the tipping point. These huge organizations had the resources and, most of the time, the leadership to prevent breaches, and yet were still compromised. What about the small and midsized businesses?

This was indeed a calling to service, one that I initially resisted.² I have held a job constantly since my teens, had never been fired or laid off, and only left a full-time position after securing the next. I craved the comfort and security that only a full-time job could provide. However, growth is often more pronounced when comfort is left behind.

Thus, in 2017, I launched the consulting firm vCISO Services, LLC³ with the mission of providing quality experience to SMBs to help prevent losses due to information security weaknesses. All our client engagements are led by an experienced CISO, and all our supporting resources have at least five years of experience in the field. With that baseline, SMBs are confident that they receive quality experience akin to what big corporations employ.

I hope that my over thirty years of experience in information technology and information security will help SMBs improve their information security posture. Indeed, I have expanded efforts to shed light on SMB information security risks and ways to address them, including a weekly podcast (The Virtual CISO Moment), conference presentations, and, of course, this book. This is my focus at this stage in my career. I hope you find value in this book.

Acknowledgements

Information security is a discipline that should not be practiced in a silo. As part of its nature, collaboration on threat intel and best approaches is necessary to arrive at the best approaches to manage risk.

For the third edition, I had the good fortune of working with several volunteer experts in information security. They offered suggestions from typos and grammar to complex issues within information security. Their input made this a substantially better product than I could have accomplished on my own. Specifically, I’d like to thank the following amazing people:

Heather Noggle, who provided both relevant industry knowledge and significant writing advice. I will forever thank, or blame, her for understanding the difference between less and fewer.

Peter Gregory, who not only added valuable content, but also provided author advice, both directly and via his excellent book The Art of Writing Technical Books: The Tools, Techniques, and Lifestyle of a Published Author.

Michael Cole, who provided welcome pushback on several sections, particularly the final one