Performing a gap analysis is another critical step for figuring out what cybersecurity controls need to be implemented in your business environment. No organization is going to be 100% secure, but there are key cybersecurity standards that everybody should strive to meet. A gap analysis can be performed alongside a risk assessment, as they both entail carefully observing the technology surface to find issues.

There needs to be specific end goals set so that organizations know what they are comparing their current state to. While building the UMPI framework, I laid out the following goals for a well-secured small business network:

  1. Operating systems are up to date with the latest release, with automatic updates enabled for both the OS and installed software.
  2. User accounts on both devices and cloud platforms are configured with least privilege access, with some form of a central identity service overseeing the access.
  3. Multifactor Authentication is enabled on every business-connected user account.
  4. Operating systems have antivirus software and host firewalls enabled.
  5. Sensitive system categories such as IoT and servers storing PII are confined to their own dedicated network segments.
  6. Workstations and server hardware are physically secured through methods such as cable locks and security cameras.
  7. All sources of business data are backed up to at least two physically separated environments on at least two distinct pieces of media.
  8. Wireless networks are configured with a minimum of WPA2-PSK security.
  9. Guests and visitors are barred from accessing the same network as employees, and if necessary, have their separate network.
  10. A strong password policy is in place, with an emphasis on creating strong passphrases, with changes required at least every 60 days.

These are by no means all of the security controls that should be in place on a network, but they are the ones I have noticed are most often lacking in small businesses. Regular surveys of your digital landscape should be made and compared with these standards. Any existing "gap" should be properly documented alongside plans on how to close the gap moving forward.