Starting your own small business is equal parts exciting and terrifying. You do your homework, get advice, take the leap… and suddenly, you’re juggling more than you expected.
Managing privacy and data isn’t something you can leave to chance. It takes a partnership between your legal and IT providers to make sure both sides are covered.
Knowing the risks is one thing. Setting up your systems to reduce those risks is what really matters.
Cyber-attacks and data breaches are in the news daily, so you’re naturally worried that it might happen to you one day. What can you actually do about it though?
Where do you even start with cybersecurity and your business?
If you’re running a micro-business with less than 5 people in it, chances are you’re getting by on whatever IT skills you’ve learned yourself over the years. Maybe you’re lucky enough to have a tech-savvy friend to help you out when you need it.
Outsourcing to a professional IT Managed Service Provider (MSP) sounds like a wonderful idea, but the cost can be a barrier when you’re still trying to build a sustainable revenue base.
Even if you’re a bit bigger and have found an MSP that seems like they know what they’re doing, how do you really know? It’s hard to have a conversation about cybersecurity with them when you don’t speak the language. Even if you manage to ask the right questions, you know the answers are probably going to be a mess of indecipherable jargon and geek-speak (reminds me a bit of “legalese!”).
Enter: the OpenCASE framework.
After seeing these problems play out over the last a decade, Shogun Cybersecurity could see small business was being sold frameworks and best practices developed for much larger organisations, that just don’t translate to a small business context.
The complexity, time and financial investment required to make them work is impractical, and maybe even impossible to adapt.
This realisation motivated them to create OpenCASE, the Open Cybersecurity Architecture for Small Enterprise. OpenCASE has been designed specifically to address the challenges and constraints of tackling cybersecurity in a modern small business.
It defines 11 priorities for protecting different aspects of cybersecurity, each with 3 implementation levels of gradually increasing strength and complexity to cater to different levels of capability and maturity.
In stark contrast to established standards, OpenCASE is just for small business. It caters to the unique characteristics of small business IT environments and is realistic about what’s achievable within the constraints of a small business budget.
It’s not meant to be comprehensive, or perfect, or to scale for larger organisations. It’s meant to be a practical starting point for small businesses that want to be proactive about cybersecurity, but don’t know how.
Understanding the 11 Priorities
The prioritised structure of OpenCASE tells you where to start and how to progress. The language is plain, and the objectives are clear.
You don’t need to be an IT or cybersecurity expert to understand the intent:
- Priority 1: Protect your user accounts.
- Priority 2: Protect your people.
- Priority 3: Protect your passwords.
- Priority 4: Protect against malware.
- Priority 5: Protect your data.
- Priority 6: Protect privileged accounts.
- Priority 7: Protect your applications.
- Priority 8: Protect your email.
- Priority 9: Protect your devices.
- Priority 10: Protect third party relationships.
- Priority 11: Prepare for the worst.
This list of priorities represents the most effective tactics for protecting against cybersecurity threats in that context.
The lower layers of the framework are where the real detail is spelt out. Every priority has 3 levels that describe specific, practical steps for implementation. For example, Priority 1 requires the following:
- Level 1: Enforce multi-factor authentication for primary user accounts.
- Level 2: Don’t use weak multi-factor authentication methods.
- Level 3: Use single sign on or multi-factor authentication with all cloud applications.
At this layer, OpenCASE is more instructive about what to do, so the language used is a little more technical, but should still be familiar. Below this are the completion criteria, which focus on the practicalities of implementation. They define what specifically must be done to satisfy the requirements of the framework. For example, the completion criteria for Priority 1, Implementation Level 1 are specified as:
- All human users are required to complete multi-factor authentication when signing in to their primary user account.
Straightforward, unambiguous, and in plain words that should be friendly enough for non-technical small business owners.
Where terms are used which might lead to confusion, there is a separate “Guidance” file that provides additional context and clarifications. The completion criteria are also written so they’re easy to measure, to avoid any confusion about whether you’ve met them.
Sounds great, but what am I meant to do with all of this?
OpenCASE is intended to facilitate a proactive approach to cybersecurity within a small business. Think of it as a roadmap which shows you where to go so you don’t have to work it out yourself, or worry about whether you’re going to get lost along the way. Start at Priority 1, Implementation Level 1, and work your way up the list.
If you have an IT service provider, OpenCASE empowers you to have meaningful conversations with them about cybersecurity – you don’t need know a lot of fancy jargon, you can just ask them “are we doing all of this, and if not, can we?” Now you’ve got a common language to talk about where you are in your cybersecurity journey and then go on to measuring performance and improvement over time.
Best of all, OpenCASE is FREE! Published under a Creative Commons license which allows free use within a commercial setting, so it’s not going to cost you (or your IT service provider) anything to use it. That means more money to spend on the things which will actually make a difference – like a good password manager, or training for your employees.
About Shogun Cybersecurity
OpenCASE was created by Corch, founder of Shogun Cybersecurity. They’re an independent Australian consultancy that’s been working heavily with small businesses and not-for-profits for the last 10 years, providing tailored strategic advice and cybersecurity expertise. We work collaboratively with our clients and their existing IT service providers to help them level up their cybersecurity.
You shouldn’t need their help with implementing OpenCASE in your business, but if you’ve got special requirements or you want to invest a little more in cybersecurity for that extra piece of mind, then you can get in touch with them at info@shogun.net.au.
