Pop's Two Cents

As cybersecurity attacks are now a recurring theme in the news, resources to educate businesses are popping up all over the web. To help you and your business navigate the soup of Top 10 tips, I have curated a small list of websites for you.

Before we get started, let’s talk about how you should proceed from this website. Just like dating, attackers are attracted to certain businesses more than others. We classify this attractiveness into three simple categories below. Read through them and determine which you fall into.

Basic Resources for Small Business

I’ve curated these five website to help the Do-It-Yourself Mom and Pop business do the bare minimum to protect their corner store. It is so nice to see such rich, helpful website funded by our tax dollars. Of course, I know that some folks might need some help. You can always find a local IT guy on Craigslist, NextDoor, or use my contact form.

FTC’s Cybersecurity for Small Business

The FTC’s newly released cybersecurity website is now my favorite place to send Mom & Pop for information to protect their corner store. A combined effort by the FTC, NIST, SBA, DHS, the government has gone all out in making a comprehensive, yet digestible technical resource. The website is organized like a mobile app, with icons representing 12 of the most important cybersecurity areas for small businesses. If you are a tiny company, you can skip some of the section as noted in the following list:

Topics relevant to all small businesses	Small businesses with a lot of employees
Cybersecurity Basics	Vendor Security
Email Authentication	Cyber Insurance
Physical Security	Securing Remote Access
Ransomware	Understanding the NIST Cyber Framework
Phishing
Business Email Impostors
Tech Support Scams
Hiring a Web host

Each icon leads to detailed information about the threat and steps you can take to protect yourself. The site is well populated with discussion guides, quizzes, downloadable materials, and videos to appeal to every kind of learner.

FCC’s Cybersecurity for Small Business

This FCC site starts off with a broad overview, including a easily readable “Top 10 Cybersecurity Tips for Small Business.” I like the FCC Cyberplanner, which is just about the easiest way to create a customized cybersecurity plan for you business. The web app lets you pick cybersecurity topics that are relevant to your business in order to create a customized PDF action plan. When I picked the most relevant topics for most small businesses, the document turned out to be about 40 pages long. The website also has several links to additional government resources.

Stay Safe Online

Stay Safe Online is geared more towards individuals, but does have a section for businesses. This site gets down into some of the details on how to take action. For example, it goes a little deeper on what to do to your internet router to make it a harder target. Don’t get me wrong, it is not a step-by-step guide. You’ll have to go to YouTube for that. Stay Safe Online also addresses social media and parental controls, but my favorite section by far is their huge list of Free Online Security Checkups and Tools.

CISA Cybersecurity Awareness Program for Small Business

I like this page because it is a simple collection of downloads consisting of overviews, one pagers, tip cards, and guides. Easy to print and take with you or share with employees. In addition to the usual cybersecurity overviews. there are also short primers on mobile security, social media, and Internet of Things.

Cybersecurity Maturity Model Certification (CMMC)

The CMMC is the newly formed cybersecurity certification needed to sell to the DOW. It has been slowly rolling out for years, but is now in force. The CMMC was rolled out because the DOW was not happy with the low level of cybersecurity maturity among their supplier base. With the CMMC, DOW contractors and subcontractors are required to attain one of three levels of cybersecurity certification. Each level requires more security practices be implemented than the one below:

Level 1: Foundational – 17 basic practices
Level 2: Advanced – 110 practices
Level 3: Expert – 110 plus organization specific practices

There are already hundreds of companies lined up to sell compliance plans, documentation packages, and all sorts of goodies to make sure you can pass the assessment with flying colors. Many of those same companies are also assessors that will place the stamp of approval on your compliance plans, documentation packages, and anything else you pay thousands and thousands of dollars to adopt.

The original CMMC standard was pretty hard to read, most of the vendors made it sound like it would be a lot of work, and most of the material made it sound like it was going to be very, very, very expensive. However, changes greatly reduced the burden on companies seeking Level 1 certification. Level 1 looks like something a savvy business person could do themselves with a good reference and some coaching. The Main CMMC Website has some great resources, but I can’t say any are in plain language. Most of the websites talking about the CMMC are companies doing their best to sell you something. As you go out searching for more information, just watch out.