OpenCASE badges

Helping small businesses close the gap on cybersecurity

Starting your own small business is equal parts exciting and terrifying. You do your research, get all the right advice, and then finally decide to take the plunge. Next thing you know, you feel like you’re drowning. Nothing prepares you for just how much time and effort goes into actually running the business. You thought you were going to be selling widgets; instead, you’re buried under a mountain of paperwork, going to endless meetings, and constantly fighting with your email system, website, or both.

If that’s not enough, adding to the pile these days is the ever-growing spectre of cybersecurity. Cyber-attacks and data breaches are in the news every day, so you’re naturally worried that it might happen to you one day. What can you actually do about it though? Like most small business owners, you know even less about cybersecurity than you do about websites. Where do you even start?

If you’re running a micro-business with less than 5 people in it, chances are you’re getting by on whatever IT skills you’ve learned yourself over the years, or maybe you’re lucky enough to have a tech-savvy friend to help you out when you need it. Outsourcing to a professional IT managed service provider (a.k.a. an “MSP”) sounds like a wonderful idea, but the cost is a real barrier when you’re still trying to build a sustainable revenue base - and that’s assuming you can even find a provider that’s willing to take on such small customers.

Even if you’re a bit bigger, and have found an MSP that seems like they know what they’re doing, how do you really know? It’s hard to have a conversation about cybersecurity with them when you don’t speak the language. Even if you manage to ask the right questions, you know the answers are probably going to be a mess of indecipherable jargon and geek-speak.

Enter: the OpenCASE framework.

After seeing these problems play out over the last a decade, I came to realise that small business was being hamstrung by their reliance on frameworks and best practices developed for much larger organisations, that just don’t translate to a small business context. Their complexity, combined with the time and financial investment required make them thoroughly impractical, if not impossible to adapt.

This realisation motivated me to created OpenCASE, the Open Cybersecurity Architecture for Small Enterprise. OpenCASE has been designed specifically to address the challenges and constraints of tackling cybersecurity in a modern small business. It defines a list of 11 priorities for protecting different aspects of cybersecurity, each with 3 implementation levels of gradually increasing strength and complexity to cater to different levels of capability and maturity.

In stark contrast to established standards, OpenCASE is just for small business. It caters to the unique characteristics of small business IT environments and is realistic about what’s achievable within the constraints of a small business budget. It’s not meant to be comprehensive, or perfect, or to scale for larger organisations. It’s meant to be a practical starting point for small businesses that want to be proactive about cybersecurity, but don’t know how.

Understanding the 11 Priorities

Right off the bat, the prioritised structure of OpenCASE tells you where to start, and how to progress. The language is plain, and the objectives are clear. You don’t need to be an IT or cybersecurity expert to understand the intent:

  • Priority 1: Protect your user accounts.
  • Priority 2: Protect your people.
  • Priority 3: Protect your passwords.
  • Priority 4: Protect against malware.
  • Priority 5: Protect your data.
  • Priority 6: Protect privileged accounts.
  • Priority 7: Protect your applications.
  • Priority 8: Protect your email.
  • Priority 9: Protect your devices.
  • Priority 10: Protect third party relationships.
  • Priority 11: Prepare for the worst.

Why this order? Simply put, I’ve learnt a lot of lessons the hard way over the years about what works and what doesn’t with small business. This list of priorities represents the most effective tactics for protecting against cybersecurity threats in that context. Admittedly, they are conceptual, as opposed to being instructive, but that helps to ensure that the top layer of the framework is easy to understand and talk about, regardless of your background.

The lower layers of the framework are where the real detail is spelt out. Every priority has 3 levels that describe specific, practical steps for implementation. For example, Priority 1 requires the following:

  • Level 1: Enforce multi-factor authentication for primary user accounts.
  • Level 2: Don’t use weak multi-factor authentication methods.
  • Level 3: Use single sign on or multi-factor authentication with all cloud applications.

At this layer, OpenCASE is more instructive about what to do, so the language used is a little more technical, but should still be familiar. Below this are the completion criteria, which focus on the practicalities of implementation. They define what specifically must be done to satisfy the requirements of the framework. For example, the completion criteria for Priority 1, Implementation Level 1 are specified as:

  • All human users are required to complete multi-factor authentication when signing in to their primary user account.

Straightforward, unambiguous, and specified in terminology that should be friendly enough for non-technical small business owners. Where terms are used which might lead to confusion, there is a separate “Guidance” file that provides additional context and clarifications. The completion criteria are also written so they’re easy to measure, to avoid any uncertainty about whether you’ve satisfied them.

Sounds great, what am I meant to do with all this though?

OpenCASE is intended to facilitate a proactive approach to cybersecurity within a small business. Think of it as a roadmap which shows you where to go so you don’t have to work it out yourself, or worry about whether you’re going to get lost along the way. Start at Priority 1, Implementation Level 1, and work your way up the list.

If you have an IT service provider, OpenCASE empowers you to have meaningful conversations with them about cybersecurity - you don’t need know a lot of fancy jargon, you can just ask them “are we doing all of this, and if not, can we?” You’ve now got a common language to talk about where you are in your cybersecurity journey - and a yard stick to measure performance and improvement over time.

Best of all, OpenCASE is FREE! Published under a Creative Commons license which allows free use within a commercial setting, so it’s not going to cost you (or your IT service provider) anything to use it. That means more money to spend on the things which will actually make a difference - like a good password manager, or training for your employees!

About Shogun Cybersecurity

OpenCASE was created by Corch, founder of Shogun Cybersecurity. We’re an independent Melbourne-based consultancy that’s been working heavily with small businesses and not-for-profits for the last 10 years, providing tailored strategic advice and cybersecurity expertise. We work collaboratively with our clients and their existing IT service providers to help them level up their cybersecurity. You shouldn’t need our help with implementing OpenCASE in your business, but if you’ve got special requirements or you want to invest a little more in cybersecurity for that extra piece of mind, then please get in touch with us via info @shogun.net.au.