Tracie White

December 2016
Background
The Arkansas Small Business and Technology Development
Center (ASBTDC) assists small businesses with the start-up,
management, and expansion of small businesses
The ASBTDC offers free confidential business consulting, low-cost
training and free market research
The ASBTDC is part of the national organization, Americas Small
Business Development Centers, and partners with the United
States Small Business Association (SBA) and institutions of higher
education
 CONTINUED

Background
The ASBTDC relies heavily on information technology to
conduct business.
The ASBTDC uses the database software CenterIC (MIS) to
document client information, and track business consulting
and training.
Clients personal information
Financial information
Proprietary product information
Track goals and metrics of each consultant and each of the centers
 CONTINUED

Purpose
The purpose of this project is to discover the current
cybersecurity position of the ASBTDC.
The same technology that helps the ASBTDC work more
efficiently opens the ASBTDC to potential cyber intrusion
attacks
Purpose
The ASBTDC, like most small businesses, assume they are
not targets for cyber intrusion attacks
Lou Shipley from the Wall Street Journal said over 70% of
cyber intrusions are directed at small businesses
According to Symantecs 2016 Internet Security Threat
Report cybersecurity attacks have more than doubled in the
last five years in small businesses with less than 250
employees
 CONTINUED

Problem Identified
To keep the ASBTDC secure from cyber-attacks
Virus, spyware, and malware protection
Hardware and software firewalls
Back up data
Control access
Educate employees on cybersecurity best practices
Cybersecurity risk management plan
Problem Identified
A recent distributed denial of service (DDoS) cyber-attack
affected several major websites causing the online
registration for the ASBTDCs training workshops to go
down.
The DDoS affected over 80 websites to include Constant
Contact, CNN, Etsy, Twitter, Netflix, The Wall Street Journal
online, and many more
The size and effect of this attack should be a warning to the
ASBTDC
Research Methods & Procedures
Researched cybersecurity using authoritative resources
Conducted Interviews
The interview questions consisted of unstructured questions
Questions based on the NISTIR 7621 documents absolutely
necessary cybersecurity prevention measures
During the interview portion of the research it became clear there
was a need to interview more than one information technology
specialist
Sent out an Online Survey
Determine the cybersecurity climate of the ASBTDC
 CONTINUED

Interview Questions
Do you have a risk management plan that includes
cybersecurity prevention?
Do you use virus, spyware, and malware protection?
Is your internet network protected?
Are software firewalls installed, activated and updated?
Are the operating systems and software updated regularly?
Are the computers and MIS backed up on a regular basis?

NISTIR 7621 document

Interview Questions
Do you control physical access to your computers and networks?
Are the wireless access point and networks secure? Is the Wi-Fi
encrypted? Have the default administrative passwords been
changed?
Do you educate your staff on data security best practices? If so,
how often?
Do you require individual user accounts for employees to access
computers? Do you limit administrative privileges?
Do you limit employee access to data according to
position/authority?
 CONTINUED

Online Survey Questions

What is your age?
Education
How often do you consider cybersecurity procedures?
How often do you change your password?
Do you use words that can be found in the dictionary for
your password?
Do you have work email on a mobile device?
Online Survey Questions
Is your mobile device password protected?
If it is available, do you use two-factor authentication?
Do you know how to spot a phishing attempt?
Do you back up your data?
When you were hired, were you trained to use cybersecurity
procedures?
When were you trained to use cybersecurity procedures
(year)?
Analysis and Findings
Interviewed via email
Three information technology specialists from the ASBTDC
Two computer service employees from ATU
The survey was distributed to all 38 ASBTDC employees
Received 24 responses out of the 38 surveys
 CONTINUED

Interview Responses

1. Do you use virus, spyware, and malware protection? Yes

2. Is your internet network protected? Yes
3. Are software firewalls installed, activated and updated? Yes
4. Are the operating systems and software updated regularly? Yes
5. Are the computers and MIS backed up on a regular basis? Yes
6. Do you control physical access to your computers and networks? Yes
7. Is the wireless access point and networks secure? Yes
8. Do you require individual user accounts for employees to access computers? Yes
9. Do you limit employee access to data according to position/authority? Yes
 CONTINUED

Interview Responses
Do you schedule employee training on cybersecurity
procedures?
Chris Kleinhofs from the ASBTDC stated, Best practices are
reviewed in breakout sessions during our biannual state-wide staff
meetings.
Timothy Lee of the ASBTDC answered, No, we don't have
scheduled training.
Chris Moss said, New (information technology ) staff training is
done once a quarter.
Interview Responses
Do you educate your staff on data security best practices? If
so, how often?
Chris Kleinhofs from the ASBTDC stated, Statewide staff meetings
are held twice a year and best practices are reviewed then.
Timothy Lee of the ASBTDC answered, I have presented
cybersecurity training in the past for center and state staff. We also
brief current threats or concerns at weekly staff meetings as
needed.
Chris Moss from ATU said, Most training is done by the supervisor.
New (information technology ) staff training is done once a
quarter.
 CONTINUED

Survey Responses
How often do you consider cybersecurity procedures?

70%

60%

50%

40%

30%

20%

10%

0%
Regularly Occasionally Never
 CONTINUED

Survey Responses
How often do you change your password?

70%

60%

50%

40%

30%

20%

10%

0%
Never When I have to Monthly Every few months Once a year
Survey Responses
When you were hired, were you trained to use
cybersecurity procedures?

Yes
42%

No
58%
Recommended Action One
To create and schedule regular cybersecurity training for all
ASBTDC employees
Urgency, Feasibility, Cost
Urgency: Creating and scheduling regular cybersecurity training
is urgent! #haveaplan
The number of cyber-attacks are increasing exponentially
Feasibility: Creating and scheduling regular cybersecurity
training is also feasible
The cybersecurity training could be scheduled during one of the
ASBTDCs Bi-annual State Staff meetings
It could also be implemented using webinar software
Cost: The monetary cost would be minimal
It would take the time and effort to create the cybersecurity training and
time to implement the training
Recommended Action Two
To develop and implement a cybersecurity response plan,
also called a cybersecurity incident response plan (CSIRP) for
the ASBTDC
Urgency, Feasibility, Cost
Urgency: Creating and implement a cybersecurity response
plan is urgent! #haveaplan
Feasibility: Creating a CSIRP for the ASBTDC would be
challenging
Lack of financial and personnel resources
Extensive cooperation between the ASBTDCs information
technology specialist, the UALR information technology
department, and the ATU information technology department
Cost: The financial cost, time, and effort could be high
May have to hire an outside consultant
Conclusion
It is just a matter of time before a cyber-attack affects the
ASBTDC
Implementing a cybersecurity incident response plan has
obstacles, however it is not impossible
Keeping the ASBTDC safe from cyber-attack is an urgent
issue and it should be a priority for the ASBTDC
Cybersecurity Resources
FTC Start with Security: www.ftc.gov/startwithsecurity
NIST Computer Security Resource Center: csrc.nist.gov
SBA Cybersecurity: www.sba.gov/cybersecurity
Stay Safe Online: staysafeonline.org/business-safe-online
US-CERT: www.fcc.gov/general/cybersecurity-small-business
Resources for Cybersecurity Incident Response
FCC Cyberplanner: www.fcc.gov/cyberplanner
NIST Computer Security Incident Handling Guide:
nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
SANS Incident Handling Annual Testing and Training:
www.sans.org/reading-room/whitepapers/incident/incident-handling-
annual-testing-training-34565
Thank you!
I would like to thank Ronda Hawkins and Nathan George of the ATUSBTDC for assisting
me with this project. I would also like to thank Laura Fine, Michael Singleton, Timothy
Lee, Wendy Orvis, and Chris Kleinhofs of the Arkansas Small Business and Technology
Development Center for allowing me to schedule interviews and conduct a survey on
the topic of cybersecurity. I would like to thank the employees of the ASBTDC for taking
the time to fill out the survey while preparing for the SBDC accreditation. Chris Moss
and Kim Newman of the Arkansas Tech University Computer Services were extremely
helpful in answering the interview questions.