Small businesses should look for Default Security in devices, services and systems they plan to use for their business. Default Cyber Security is military grade security built into devices, services and systems without any configuration required by the end user to “set it up” or “activate it” to get security working. Default Cyber Security devices, services and systems should include automated security updates, automated system updates, automated backups (copies of data) and automated encryption of data both when stored and in motion enabled by default.
Google’s Chromebook is an example of a device with default security.
Software-as-a-Service (SaaS) programs like Intuit ProConnect Tax and Google Workspace are software service examples that include default security for data stored on the systems via mandatory encryption.
Secure by Default devices, systems, services and staff for a small tax practice of 1-5 staff would include:
- Google Chromebooks (add Enterprise option for full laptop control including remote delete/wipe)
- Google Workspace Business (Central Shared Drive folder, plus business email email@example.com and Google Sites for website, managed by Google Admin panel)
- Intuit ProConnect Tax Online, Intuit Link (managed data transfer), Intuit Quickbooks Online Accountant
- Square Payments (PCI-DSS compliant payment processor)
- Kingston IronKey (AES-256 encrypted USB, integrated crypto chip, air-gapped data backup)
- Microsoft OneDrive Personal Vault (secure secondary cloud backup)
- Staff should only access ALL online systems using multi-factor authentication (MFA) with NO exceptions made for ANY staff, EVER. Staff should only use work authorized systems, apps and sites to access/use work data. Staff should never, EVER click, press, tap on anything in any unexpected messages.
In addition, always have active Cyber Security / General liability insurance.
Herewire IT_Cyber Services
Basic User setup administration (for business specific cloud apps) (ProConnect, Clio, RightCapital, Curve Dental, Foreflight) focusing on establishing multi-factor authentication for all users without exception.
Business continuity operations planning (Consideration of different types of Backup plans to keep the business operating if cyber security incidents, facility outages, device breakage and/or cloud service outages occur)
Security training sprints (daily 3-5 security reminders for all staff sent as an email form (Google Forms))
(Services for businesses up to 5 staff)
Herewire IT Cyber security focuses on practically deploying generally accepted cyber security standards so your business can automatically run efficient and understandable daily cyber secure practices by default.
National Institute of Standards and Technology (NIST) Cyber Security Framework (NIST CSF)
NIST 800-53 (revision 5) (Low baseline items, both privacy and security, suitable for small businesses) (NIST 800-53B, Control Baselines)
CIS Critical Security Controls
The US Cybersecurity & Infrastructure Security Agency (CISA) provides Cyber Hygiene Services free of charge to Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations. US-CERT National Cyber Assessments and Technical Services (NCATS).
CISA – Preparing for and Mitigating Cyber Threats
NIST 800-61 (Computer Security Incident Handling Guide)
Cybersecurity & Infrastructure and Security Agency (CISA) Incident and Vulnerability Response Playbooks (CISA Incident Response Playbook document) (2021)
CyberSpeedLane Checklists and Reports
FAST Cyber NIST Checklists (USE THESE)
NIST CSF (record OP/INOP items)
NIST SP 800-53 rev 5 (low baseline) (record OP/INOP items) (Security and Privacy Controls for Information Systems)
NIST Checklists (FAST) (FAST checklist review without recording OP/INOP items)
CISA Incident Response Playbook (record OP/INOP items)
FASTCyber (Quick Review lists, NIST CSF, NIST 800-53 lowBase, CISA Incident Response)
NIST CSF mobile review checklist (local program)
NIST 800-53 low baseline mobile review checklist (local program)
CISA Incident Response Playbook (based on NIST 800-61) mobile checklist
IT Security Vendor Selection Checklist (staysafeonline.org)
IT Inventory (small business, manual method)(save data to your private twitter account)
Webapp, website, cloud security check online (immuniweb.com)
Global Cyber Alliance Small Business Toolkit
FASTCyber IRS Data Security Review (abbreviated) (Report Results)
FASTCyber Do-it-Yourself (DIY) (custom checklist)(access id req)