top of page
  • Chris

Security Resources for Small Businesses

There's a world of security resources out there that you know you should be leveraging as a small business — especially the free ones. But how do you know where to find them?

Let this index be your guide.

I. GOVERNANCE, RISK, AND COMPLIANCE (GRC) A. Policies, Procedures, and Standards (PPS)

B. Security Education Management (SEM)

  • KnowBe4: KnowBe4 is a CG Silvers partner that offers security awareness training, automated alerting, and simulated phishing attacks. Find a range of free tools and resources on their website.

  • GO PHISH: A free, open-source phishing framework that makes it easy to test your organization’s exposure to phishing.

C. Data Privacy and Compliance (DPC)

  • HIPAA COW Toolkit: Provides a valuable risk assessment and risk management toolkit. A risk assessment can help your organization ensure it is compliant with HIPAA’s administrative, physical and technical safeguards. It can also help reveal areas where your organization’s protected health information (PHI) could be at risk.

  • US Department of Health and Human Services (HHS) SRA Tool (Security Risk Analysis Tool): This tool guides you on a compliance gap assessment instead of a full-blown risk assessment.

  • Payment Card Industry Data Security Standard (PCI-DSS):The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for credit card payment account data protection.

  • PCI-DSS Scoping and Segmentation PDF: This guide makes previous guidance more official and can help you reduce your compliance burden through reducing the number of systems in scope for PCI DSS compliance.

  • Penetration Testing Guidance PDF: This guide specifies how a penetration test is to be conducted to meet the requirements in PCI DSS requirement 11.3. Since not all penetration tests are created equal, this guidance is important to understand before conducting them.

  • General Data Protection Regulation (GDPR): A handy resource for understanding European data protection regulations, particularly for organizations who handle data concerning European citizens, whether they are customers, partners, or employees.

  • California Consumer Privacy Act (CCPA): If your organization does business with Californians or in California, then you want to make sure you understand and comply with the new regulations that protect consumer data. In addition to the link above, PwC offers a “roadmap” on their website that explains how companies can be ready for the January 2020 compliance deadline.

D. Enterprise Risk Management (ERM)

II. TECHNICAL CONTROLS A. Core Security Solutions

  • pfSense: A free, powerful, and flexible firewalling and routing platform.

  • Microsoft LAPS: Use LAPS to automatically manage local administrator passwords so that passwords are unique on each managed computer, randomly generated, and securely stored.

  • Microsoft Defender Suite: Among other security tools, Windows Defender includes an antivirus solution that delivers comprehensive protection against software threats like viruses, malware, and spyware.

B. Security Operations Center

  • Security Onion: Security Onion is a free and open-source Linux distribution for intrusion detection, enterprise security monitoring, and log management.

  • Elastic Stack (ELK): Elasticsearch, Logstash, and Kibana are three open source projects that can aid in security monitoring and can provide a security information and event management solution.

C. Threat Intelligence and Awareness

  • Google alerts: Using strategic key words, set up google alerts to monitor security breaches or to simply be aware of current cybersecurity threats specific to your company or industry.

  • News

  • HelpNetSecurity: Offers daily security news with a focus on enterprise security.

  • KrebsOnSecurity: Brian Krebs, a journalist formerly with The Washington Post, offers in-depth security news and investigation.

  • Packet Storm Security: Stay aware of vulnerabilities that might affect your systems by keeping up with the latest cyber security news.

  • SANS Internet Storm Center: SANS constantly monitors the internet for any signs indicative of a malicious attack and makes its findings available--for free--to any internet user.

  • Twitter

  • ScamSurvivors: Get the scoop on current scams in the media and how to avoid being a victim of online fraud.

  • SocEngineerInc: Twitter account run by phenomenal Christopher Hadnagy, the founder and CEO of Social-Engineer, LLC.

  • Steve Gibson: Steve Gibson, the founder of Gibson Research Corporation, provides a more personal perspective on cyber security.

  • Lance Spitzner: Lance Spitzner is a self-described security Geek, board member of the National Cyber Security Alliance, and the Director of SANS Security Awareness.

  • Podcasts

  • Hacking-Humans: Each week, the CyberWire’s Hacking Humans Podcast looks behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines.

  • Recorded Future: This podcast takes you inside the world of cyber threat intelligence. Hear stories from the trenches as well as get the skinny on established and emerging adversaries.

  • The Privacy, Security, & OSINT Show: This weekly podcast presents ideas that help you become digitally invisible, stay secure from cyber threats, and make you a better online investigator.

III. TECHNICAL ASSESSMENTS A. Security Vulnerability Management

  • OpenVAS: OpenVAS is a free, open-source vulnerability scanner which can implement pretty much any type of vulnerability test.

  • KALI: This all-in-one box not only gives you access to OpenVAS, but also provides access to other tools used in security vulnerability assessment and penetration testing. (It’s okay. We all giggle when we read “penetration testing”, too.)

88 views0 comments

Recent Posts

See All
bottom of page