[HN Gopher] Cyber Guidance for Small Businesses
___________________________________________________________________
Cyber Guidance for Small Businesses
Author : Trouble_007
Score : 38 points
Date : 2022-11-26 18:26 UTC (4 hours ago)
(HTM) web link (www.cisa.gov)
(TXT) w3m dump (www.cisa.gov)
| mos_6502 wrote:
| I dont understand the intended target audience. Who is this for?
|
| Most SMB leaders have enough trouble as it is keeping up with
| their day to day IT operations. The section at the start of the
| document is intended for "CEOs", yet it's likely impenetrable to
| that audience on account of the jargon while simultaneously
| giving advice that's too high-level/broad to be useful.
|
| Later parts of the document intended for technical leads are too
| focused on minutiae rather than outlining the overarching goals
| of their implementation, which loses the intended spirit of the
| document IMO.
|
| For example, it's more useful to start by outlining what these
| controls are trying to achieve. For example, "Ensuring business
| continuity after a ransomware attack" or "Protecting business
| assets with strong multi-factor authentication", as opposed to
| throwing out specific individual technical controls without a
| high-level narrative to describe what you're actually aiming for.
| chiefalchemist wrote:
| Agreed. Ask any SB owner to list the Top 10 things that keep
| them up at night and cyber-security wouldn't crack the Top 100.
|
| Uncle Sam's concerns are embarrassing lip service without any
| significant monies to lend a hand. And Sam wonders why so many
| have less and less faith in Washington DC.
| AlotOfReading wrote:
| Almost any SMB owner that isn't concerned about cybersecurity
| _should be_. Losing access to your payment terminals, or
| email, or accounting docs, or production equipment, or any
| number of other computerized systems would be existential
| risks for SMBs across the country.
|
| Maybe there's an argument that the government should do a
| better job systematically eliminating cybersecurity risks the
| way they do with natural disasters via building codes, but
| I'm not sure why a monetary handout would help things. Like,
| your idea of right sized government is half the country
| filing IT upgrade proposals with the feds?
| chiefalchemist wrote:
| Did I say they shouldn't be concerned?
|
| After 2 years of Covid "disruption", immediately followed
| by war and drastic inflation and then predictions of
| recession, only the naive - and the government - would
| believe this ranks with SMBs.
|
| > "I'm not sure why a monetary handout would help things."
| Do you know any SMBs? Ever been one yourself? If the
| priority is to keep the lights on and make payroll, and
| they ARE struggling to do that, without support, sec isn't
| going to get much attention. If a pricey consultant needs
| to be brought in, how are they going to pay for that? How
| are they going to make time - and time is money - for that.
| icegreentea2 wrote:
| While I agree a bit that this particular link might miss the mark
| a little, this isn't the only SMB relevant material from CISA.
|
| For example, the Cyber Essentials (https://www.cisa.gov/cyber-
| essentials) and Cyber Essentials Starter Kit
| (https://www.cisa.gov/sites/default/files/publications/Cyber%...)
| both seem structured better.
|
| Upfront tells the stakes, a tiny bit of a more holistic view of
| cybersecurity, then a quick pragmatic checklist things to just do
| first (backups, MFA, keep up to date with updates/patches), and
| then diving into the same frameworkey stuff.
|
| Greater federal intervention into SMB cybersecurity beyond this
| type of material and bulletins is politically challenging,
| particularly given the foundation of cybersecurity if risk
| assessment. It'd be incredibly challenging for any federal agency
| to set true baseline requirements for cybersecurity measures
| (since that would constitute doing part of the risk assessment
| for SMBs - and that just screams nanny state).
| enkid wrote:
| I think the comments so far are too harsh. The purpose of this
| document is to lay out, in plan language, what should be the
| minimum requirements for a small business in terms of cyber
| security. If there's no place to start, small business won't even
| be able to try. Following this document probably also will help
| with legal liability should the company have an incident. If you
| followed these steps, you're probably less likely to have
| liability then if you didn't.
| patrakov wrote:
| Edit: this is applicable not to a "small business" in general,
| but a "small non-IT business". For a small IT business, well,
| this is only partially applicable - only to non-IT roles. If
| they are developing desktop software, then they need to be able
| to test its installation and upgrade via the installers, which
| is then incompatible with the "remove admin privileges from
| laptops" recommendation.
| Godel_unicode wrote:
| Or they can run their installers tests in a VM which can be
| created without admin. And as a bonus the install experience
| will be more likely to be portable as opposed to silently
| depending on some forgotten config on the devs own machine.
| wallfacer120 wrote:
| Most people aren't capable of responding to anything the
| government does with anything but brain-dead snark. I've been
| feeling this problem has been getting worse on YC as of late.
| gjsman-1000 wrote:
| I think this is inevitable as people increasingly view the
| government as full of brain-dead politicians who don't know
| what they are doing. ;)
|
| Also, to be fair, we have some people in high authority who
| arguably are one step above brain dead...
| chiefalchemist wrote:
| Small business? Is it 1 April already? This just comes off as yet
| another Uncle Sam entity completely out of touch with reality. At
| the very least it should be coupled with some sort of support
| program(s).
|
| Mind you, it's not a political favourite, but SB / SMB cyber-
| security is 10x more important than student loan debt
| forgiveness.
| IntFee588 wrote:
| "Select and support a 'Security Program Manager.' This person
| doesn't need to be a security expert or even an IT professional.
| The Security Program Manager ensures your organization implements
| all the key elements of a strong cybersecurity program."
|
| Somewhat contradictory. A "security program manager" can't
| implement good security if they don't know what it looks like,
| even if given a checklist.
|
| This reads like the sort of document that the government
| publishes because it has a fiduciary to protect the vaunted
| "small business owner," similar to "fraud awareness" campaigns,
| but is more laying the groundwork to say that they told you so,
| rather than real protection.
| patrakov wrote:
| Exactly.
|
| We have interviewed a fake cybersecurity specialist some time
| ago. And I still use this experience as the main evidence that
| a pure compliance role, without technical expertise in system
| administration, does not make any sense. "He will make sure
| that there is a firewall everywhere, but will not make sure
| that your database is only accessible from the EC2 instance
| that runs your web app".
___________________________________________________________________
(page generated 2022-11-26 23:01 UTC)