Ideas regarding educating individuals and small businesses
I'm interested in your feedback regarding what I am proposing below, eg., too simplstic/naive, more detail, approaches, etc. Thanks in advance.
Most, if not all of the training and certification materials for cybersecurity (e.g., CEH, CISSP, CISM, Security+) focus on larger organizations. What about small businesses and individuals? In many ways, the failures to implement information security measures are similar. In many respects the there are similarities between large organizations, small to medium businesses and individuals. The reasons might be, it's too expensive, interferes with the business or plans, the attitude that it won't happen to me, it's too much work or its too complicated. Failure to implement cyber security for these groups, is like the failure for people to get immunizations. Exploits affecting small businesses or individuals can affect others as well. Accessing one infected system in any of these groups can cause an epidemic of exploits. The factor that links these groups together is that all organizations are comprised of individuals all of whom are consumers. In this regard, it was reported (2017 Norton Cyber Security Insights Report Global Results) that cybercrime cost consumers $172B in 2017 and about 3 full work days to deal with the aftermath, with the ultimate effect of loss of productive activities for businesses and individuals. Education and not necessarily technology is a solution. Some organizations take on this responsibility if for nothing else but for compliance with regulations and laws. For individuals not in these groups, there is no formal mechanism for education. In this regard, discussion of the NIST 7621 rev 1, 2016 small business information security framework is absent from the CISSP, CEH, CISM, Security+ certifications (as of this date). Non-technical (and some technical) individuals as well as small businesses using devices to access the internet for personal or business purposes need to provide information in an accessible manner.
The first step would be educating management for need irrespective of any consideration of cost. The method generally outlined is performing a risk assessment and a BIA. But this requires adequate personnel to perform these activities while the organization is focused on production. With this in mind, the purpose here is to develop methods for communicating to these groups and simplifying the implementation of security policies and controls.