There are many challenges to running a small business. Often time small business owners must concern themselves with multiple facets of their organization, from sales and marketing to human resources. This causes some areas to fall into gaps and not get the attention it deserves.

One such area that small businesses often fail to put focus on is cyber security. Whether it is a lack of time, or more commonly a lack of understanding, failing to address cyber security opens small businesses to risk and potentially irreparable harm.

In today’s operating environment, the theft of digital information is the most commonly reported fraud. Add to this that more and more small business owners find themselves turning to cloud solutions to manage multiple tasks, from customer relationship management tools to managing finances. Small business must take into consideration ways to ensure cyber security, to protect themselves as well as their customers.

What is Cyber Security?

Essentially cyber security is the combination of software, hardware, process and procedures put in place to protect networks, computers, programs and data from attack, damage or unauthorized use. What that means is as a small business owner, there are steps you can take to prevent your business’s information from being taken, damaged, or used in an unapproved manner.

Cyber security is a subsection (albeit a rather large subsection) of information security. Where cyber security deals with digital information and the hardware and software it flows through, information security deals with any information (where information could be digital, printed, spoken or held on audio or video). When addressing cyber security, information security should be the ultimate goal. As technology progresses, we have seen that nearly all our information is now held in digital format. Thus, an information security management system is needed to implement a cyber security program.

Addressing Cyber Security

Organizations, such as the FCC have published tips for small businesses in regards to cyber security. What these tips translate into is the implementation of an information security management system (ISMS). An ISMS is business management systems that includes business objectives and control methods together with documentation of policies and procedures, as well as other relevant transaction records in regards to the management and protection of information. Basically, like other areas of your business, such as marketing or accounts receivable, an ISMS puts operating procedures in place with the goal of keeping your information secure.

The overarching goal of an ISMS is to put a management system in place that allows your organization to effectively and efficiently manage the security of information, that is to ensure cyber security. By implementing an ISMS you are essentially putting cyber security in place for your organization. An ISMS allows you to protect information, hardware, software and networks from harmful attacks, damage, or unauthorized use. A well implemented ISMS will go even further, ensuring that the integrity (accuracy and completeness of the information),availability (accessible and usable when needed by an authorized entity), and confidentiality of information is secured.

Where to Start with an ISMS

A quick search on the Internet and you will find there is an International Organization for Standardization (ISO) standard for implementing an ISMS, known as ISO 27001. This standard is meant to bring information security (remember, cyber security is a part of information security) under management control. Utilizing ISO 27001 as a framework will allow you to implement an ISMS that is built on best practices. Though you can be certified to ISO 27001 by an Accredited Registrars, this is not necessary if certification is not an organizational objective. However, by utilizing ISO 27001 as your guide you will be implementing an ISMS based on an standard that is globally accepted as best practices for information security.

The first step in implementing an ISMS is to define the scope of what your ISMS must cover. As a small business, this will most likely be your entire organization. With all projects, this is an essential step and will prevent you from doing too much or too little in order to ensure cyber security.

Once the scope is recognized, a risk assessment should be completed. Taking a risk based approach to decision making is essential in all aspects of business. In the case of implementing and maintaining an ISMS, risk assessments are the backbone to a successful program. If you are looking to get certified to ISO 27001 a risk assessment will be mandatory.

Following the risk assessment process, you should undertake a risk treatment process and implement measure to reduce the risk you have identified. This is a step in the process where knowledge of what it takes to reduce risk is necessary. As a small business owner, cyber security may not be your area of expertise and you may need to seek outside help putting measures in place that reduce risk to your organization.

Once these steps have been taken you should monitor your ISMS to ensure it is effectively and efficiently ensure information security (cyber security).

Conclusion

This of course is an introduction as to what needs to be done to implement an ISMS. Cyber security has gained a lot of attention as of late, even as far as Congressional Acts, with good reason, as the theft of digital information is the most commonly reported fraud.

In order to protect your small business from cyber attacks, we strongly recommend implementing an information security management system.