One of the biggest problems Canada faces is getting small businesses to lower the risk of being victims of cyber attacks by toughening their processes and IT infrastructure.
With limited budgets, small businesses are less likely than larger firms to hire experts to advise them on proper procedures and technology.
But the Council of Better Business Bureaus, which represents bureaus in the U.S., Canada and Mexico hopes to change that early next year with the release of the first in a series of online modules small firms can download with practical guidance for better securing themselves.
Each module will also include information from cyber security vendors on what products of theirs maps to each piece of technology recommended to make it easier for business owners to buy equipment.
The first module, to be released around the end of March, 2018, will be on securing email. Next will be modules on personnel and Web sites.
”Small businesses, they’ve got a firewall, they’ve got anti-virus,” says Bill Fanelli, CSO of the Arlington, Va.,-based council, “but after that they’re not doing a lot” unless obligated because they are government suppliers.
Small business “needs to maintain public trust and needs to be secure in the supply chain,” he said. Telling a potential customer, “‘I’m more secure than my competitors.’ is a real advantage.”
Karen Smith, CEO of the Better Business Bureau of Saskatchewan, who has been the Canadian BBB representative working with Fanelli‘s cyber security committee, is among those who believes many small firms here are unprepared to face cyber risks.
”I don’t think we’re ready,” she said in an interview. “Running a small business takes a lot of energy just in the business, Having the added component of cyber security on top of that, I don’t think small business is prepared for that”
She’s hoping when Ottawa releases its updated national cyber security strategy in a few months it includes a framework businesses of all size can rely on to improve their security maturity. However, “the intent of the Council of Better Business Bureaus is to put together materials so we’re prepared to do it on our own anyway. One way or another we need to give some tools to small businesses.”
The need for those tools is evident from a recent Council of BBB survey of small businesses in the U.S., Canada and Mexico.
Eleven per cent of respondents said they current had no cyber security measures in place. Only 15 per cent had a security incident response plan. Only 17 per cent had a dedicated person or team charged with information security responsibilities. Only 20 per cent had ever undergone an internal audit or threat assessment. Just under half said they do security awareness training for staff.
When asked what are the top factors that hinder their firm’s ability to advance cyber security efforts, 28 per cent of respondents cited lack of resources, 27 per cent said lack of expertise or understanding and 14 per cent said either lack or information or lack of time.
More than one in five said they had been the target of a cyber attack, with 10 per cent saying it had happened in the last 12 months.
The coming modules are part of the second phase of the Council of BBB’s “Empower, Build and Equip” strategy.
The first, Empower, is an awareness campaign that started two years ago involving BBB trained facilitators who host local half-day meetings for businesses to get them introduced to a number of actions they should follow, including the council’s “Five Steps to Better Business Security.”
These steps (identify assets, protect them, detect incidents, have a plan for responding to incidents and recover from an incident) are a simplified version of the U.S. National Institute for Standards and Technology (NIST) cyber security framework.
Trainers also present a “case study” of a fictional company called Leaky Faucett Plumbing with 10 employees that unfortunately suffers a number of cyber catastrophes to show how it could have applied the fives steps to improve its security posture.
But Fanelli admits that after leading sessions some attendees come to him and want more guidance on what to do. The result is the creation of the upcoming modules.
Each will have several cases which can apply to the varied uses of technology by a business (for example, a florist won’t use email the same way a law firm does). The material will allow a business to chose the appropriate use case, which will show the proper security controls that would apply (for example, there should be an administrator responsible for creating new email accounts, and deleting them when staff leave).
The third phase of the program is getting manufacturers of cyber security hardware and software to add to each module by listing which of their products maps to each suggested technology. So, for example, if the module suggests “you should have a Web gateway,” there would be a list of vendors saying “our model 4566 is appropriate for this application.”
Fanelli hopes to have the first module online by the end of Q1, 2018.