Cybersecurity is now a primary concern of senior executives within both the Fortune 500 and, perhaps more importantly, the “SME 28.” That would be the roughly 28 million small and medium enterprises in the United States. Yet, despite a near universal appreciation of the gravity of the threat, many officers and directors throughout industry remain uncertain of how best to approach the problem. If your organization falls within that category, don’t despair. There are a number of free tools available to organizations of all sizes to better understand and assess their cybersecurity posture.
1. HealthIT.gov
Did you know that the U.S. Department of Health and Human Services developed an easy to use, free Security Risk Assessment tool that works on Windows operating systems and can even be downloaded from the Apple App Store for your iPad? The site also includes online game modules for protecting sensitive electronic data and for conducting cyber contingency planning, a 10-Step Privacy and Security Plan, a video series on mobile device information security practices and a Security 101 video series. If you’re not in the healthcare industry, simply substitute “Critical Sensitive Data” every time you see the terms Protected Health Information or Electronic Health Records, and replace “Patients” with “Customers/Clients.”
The Federal Communications Commission developed “Small Biz Cyber Planner 2.0” by teaming with members of the public and private sector, including the Department of Homeland Security, the National Cyber Security Alliance and the Chamber of Commerce. With the click of a few buttons, companies can create a custom plan to include sections on privacy and data security; scams and fraud; network security; website security; email; mobile devices; employees; facility security; operational security; payment cards; incident response and reporting; and policy development and management. Also available on the FCC website is a helpful one-page document titled “Ten Cybersecurity Tips for Small Businesses.”
Texans are known for doing things in a big way, and this site is no exception, especially when you consider the Greater Houston Partnership prepared this national treasure as a simple resource for local area businesses. Fill out the Cybersecurity Self Assessment Tool and get instant feedback about whether your risk level is relatively low, requires additional cost/benefit analysis, or is screaming out for further investment. Next, review the well-crafted manual on Cybersecurity and Business Vitality.
4. US-CERT.gov/home-and-business
Brought to you by the U.S. Department of Homeland Security, the information provided here excels at succinctly explaining the basics relating to home and office network security, taking advantage of cloud computing, using mobile devices and effectively deleting files, just to name a few.
5. CERT.org/information-for/managers/
Before the United States had a US-CERT, the Software Engineering Institute at Carnegie Mellon University ran the CERT Coordination Center. Their website boasts a wide array of information to include an extensive podcast series covering forensics, governance, metrics, privacy, resilience and other significant topics. In addition, CERT offers the most comprehensive information anywhere relating to combatting the potentially devastating insider threat.
6. SANS.org/security-resources
Need a security policy? The SANS Security Policy Project assembles more than a dozen information security policy templates in one place, including such timeless classics as Email Security Policy and Internet Usage Policy. This site also is home to the world-renowned Top 20 Critical Controls for prioritizing, implementing and measuring those efforts “where products, processes, architectures and services are in use that have demonstrated real world effectiveness.”
Last, but certainly not least, is NIST. Its collection of resources is bigger, better and stronger than all the rest combined, but that strength can serve as a weakness if it overwhelms your particular organization. When you’re ready for NIST, it will be there for you. Start with the easily accessible Framework. End with a cyber risk management process that will last indefinitely.
Conclusion
Although many of these websites provide the traditional disclaimers that they are no substitute for consulting qualified cybersecurity professionals and legal counsel, they most certainly are a substitute for inaction. Do you have other resources to offer our readers? Please post your comments to SecurityMagazine.com. Your free advice will grow our list to eight.
About the Columnist:
steve.chabinsky@crowdstrike.com. You can follow him on Twitter @StevenChabinsky.
Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting and network security pen-testing, assessments and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. He can be reached at