Wyoming Business Tips for Aug. 6

A weekly look at Wyoming business questions from the Wyoming Small Business Development Center (WSBDC), part of WyomingEntrepreneur.Biz, a collection of business assistance programs at the University of Wyoming.

By Jim Drever, WSBDC regional director and cybersecurity specialist

“What is a cybersecurity plan?” Alex, Laramie

A cybersecurity plan is a risk management plan focused on your data/information and computer systems. As with any risk management plan, cybersecurity plans vary in complexity and are unique to each business and even every individual.

The WSBDC can help small-business owners develop a cybersecurity plan, but some individuals may want to develop their own plans. Here are the steps to get started:

-- Figure out just what you have. Map out an inventory of all computers, modems, routers, smartphones and “internet of things devices,” such as security cameras and online thermostats. You need to include other data, systems and information that you have stored online in the cloud or on remote devices. This also will lead to mapping out your network if you haven’t done so already.

This skips a step, but it is a moment to think of how you will dispose of these items in the future.

-- The next step is to assess the risk in terms of what are the potential threats to what you have inventoried, including assessment of likelihood and impact.

For example, in traditional risk management, we know that fires are rare, but have devastating impacts, and we plan accordingly with several “controls” as they are called. This assessment strategy is the same used for cybersecurity planning. With the likelihood and impact, develop low, medium and high risk for your assets to help you with the next step.

-- With each item now inventoried and assessed for risk, develop security controls focused on prevention, detection and recovery. Going back to traditional risk management, you assess your home with a critical value and, thus, you probably have prevention in place, detection if something does happen and insurance to try to recover if your house does catch fire.

This same concept applies to your cybersecurity plan, and your mitigation efforts depend on the risk assessment level. Backups, training, physical security, and network and computer access are common ways to mitigate some risks. I recommend documenting this.

By now, you have a plan to keep your computers, information and systems safe and have a recovery plan in place. But, if you determine you have more complex and critical systems/information to protect (maybe you have patient data, for example, or manage customer financial accounts), you should look at the National Institute for Standards and Technology special publication 800-53 found at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

This document will walk you through the many security controls that are categorized by families to help as a guide. For example, it has control families detailed, such as physical devices, maintenance, access control, incident reporting, awareness training and other aspects of developing a comprehensive cybersecurity plan.

Remember, the WSBDC has a certified cybersecurity adviser to help, if needed.

A blog version of this article and an opportunity to post comments are available at www.wyomingsbdc.org/blog1/.

For more information, call the WSBDC Network Procurement Technical Assistance Center at (307) 772-7372 or email amlewis@uwyo.edu.

The WSBDC is a partnership of the U.S. Small Business Administration, the Wyoming Business Council and the University of Wyoming. To ask a question, call 1-800-348-5194, email wsbdc@uwyo.edu, or write 1000 E. University Ave., Dept. 3922, Laramie, WY, 82071-3922.