← Back Published on

Cyber Guidance for Small Businesses

I need your help.

In the past few weeks I keep encountering the topic of cyber guidance for small businesses. This topic matters to me not only because cyber guidance is my profession, but because I have my own small business (me, myself, and I). 

Contracts often require me to attest to having all sorts of cybersecurity plans, policies, and processes. I take security seriously, but I don't have a business continuity plan--instead, I have an old laptop I can use if my current one breaks, and I can tether my laptop to my smartphone if my internet access fails. That's my plan.

The other day I was talking to someone at a small business who's having a tough time complying with their customer's request to attest to compliance with a framework. The issue isn't the framework's requirements--it's the overhead involved in someone from the small business learning the framework, doing an assessment of the business's practices and technologies, documenting artifacts and evidence, and so on, or finding the budget for a third party to do an assessment for them. Either way, it's a huge burden for a small company.

If you're responsible for cybersecurity for a small business, what are your go-to resources? What guidance do you wish you had that you don't? How can the security community better bridge the gaps between Big Guidance and small business? Please send your suggestions to me at karen@scarfonecybersecurity.com. I know we can do better!