Administrative Controls – Practical Cyber Security for Small Business

As technology continues to rapidly transform the business landscape and impact our lives in significant ways, the protection of your data, the systems where that data lives, and the people that work with that data is more important than ever before! To achieve a secure environment, Physical, Technical, and Administrative Controls must be deployed by business leaders and cybersecurity professionals across the entire organization. Any area left uncontrolled leaves a gap for cyber attackers to find success.

In this article, which is part three in a four-part series on Practical Cyber Security for Small Business, we’ll explore the language and practical application of cybersecurity Administrative Controls. Let’s start with why we need these safeguards, define some key terms, then outline the controls that will have the greatest impact on your organization.

Most small businesses have some form of employee handbook that spells out the rules that govern the organization and an individual worker’s behavior. It includes things like dress code, safety rules, vacation and pay policies. What’s missing from most of these handbooks are policies and procedures for safely using technology; the administrative controls that set the boundaries of how workers must behave when operating devices and working with data.

Modern devices almost always rely on the Internet to provide value to the person operating them. And because the Internet is one of the most dangerous places on the planet, it makes good sense that organizational leaders control how employees behave when working with these devices and the data that they touch. In the absence of guidance, workers will ultimately operate in risky and unsafe ways. They will create weak passwords, reuse these weak passwords repeatedly, put private information in public view, and respond to phishing emails and other social engineering attacks. With worldwide cyberattacks growing at an alarming pace, business as usual isn’t good enough anymore. We need to do better! We need to put administrative safeguards in place and hold people accountable to follow them.

Policies, Procedures, Standards, and Training

Policies are very specific statements designed to influence decisions and actions. They set boundaries and outline consequences for failure to comply with the policy. Procedures are the specific methods employed to carry out a policy and are often expressed in bulleted or numbered lists of “things to do” and the order to do them. Together, policies and procedures ensure that a desired outcome is achieved in a consistent manner. Standards are a variation of policies and are generally less strict in the way that they are enforced. An example would be a Communication Standard that defines what tools and techniques should be followed to effectively communicate with coworkers. If a worker uses email when the Communication Standard suggests a face-to-face meeting, the consequence could be a misunderstanding. Whereas failure to follow an attendance policy could result in employee termination. And finally, training is the essential control that ties the others together. A policies and procedures manual that isn’t read, understood or followed is ineffective. On the other hand, disciplined, consistent, and well-crafted training will ensure measurable and meaningful results.

Top 7 Controls

The National Institute of Standards and Technologies (NIST) defines well over 150 cybersecurity administrative controls to keep your business safe. This is an overwhelming number for a small business owner to comprehend and act on. I’ve boiled these down to a balanced set of seven impactful controls that are essential for organizations to have in place today:

  1. Password Policy - clearly define the need for strong and unique passwords, and how workers should use and protect those passwords in their daily work.
  2. Cyber Security Awareness Training - ensures users are fully aware of the cyber threat and what part they play in keeping the organization safe.
  3. Data Protection Policy - define the acceptable locations that data can live, when it should be encrypted, and how sensitive data should be exchanged and disposed of.
  4. Mobile Device Usage Policy - ensure that users treat their mobile devices with great respect because the data stored on these devices is highly targeted by cyber criminals.
  5. Social Media Use & Privacy Policy - ensure users understand what is appropriate to share on social media platforms, and more importantly, what is inappropriate.
  6. Cybersecurity Incident Response Procedure - define the detailed steps to follow when a security incident occurs, who will act, and how fast they are expected to act.
  7. Crisis Management Policy – define how the organization will continue to serve customers when a security incident or other crisis occurs.

It’s critical that you take the proactive steps to control your environment, but also properly plan for something bad to happen. A security incident is not just an IT problem. It is a business productivity problem, a legal problem, a public relations problem, AND an IT problem that could be very costly.  Since it’s the time of year to make plans for next year, please add “Improve our cyber-security posture” to your action list for 2019! It will be time well spent!

For more information, please contact the author.