The National Institute of Standards and Technology (NIST) has released a new edition of its reference to information security for small businesses, which provides non-technical guidelines for cybersecurity for businesses that might not have deep technical expertise.
While many small businesses feel they do not have the resources for a robust cybersecurity program, they are likely to be even less well prepared to weather a significant data breach or a network disruption. NIST cites findings from Symantec that 60 percent of small business close within six months of suffering a cyberattack. “Businesses of all sizes face risks when operating online and therefore need to consider their cybersecurity,” said Patricia Toth, co-author of the report.
Interagency Report 7621, Small Business Information Security: The Fundamentals, originally was published in 2009. This is the first revision of the document and it is based on the NIST Cybersecurity Framework, which has become a surprisingly versatile and valuable document since its publication in 2014.
As its full title implies, the Framework for Improving Critical Infrastructure Cybersecurity originally was part of the effort to improve the security of the nation’s critical infrastructure, most of which is operated by the private sector. It is a catalog of voluntary industry best practices and standards providing a template for use by companies operating critical infrastructure in developing their cybersecurity programs.
Because it is technology neutral and intended to be applicable across a wide range of industry verticals, it has been adopted as a foundation for cybersecurity by many organizations in both the public and private sectors. The framework also provides the template for NIST’s small business guidance. “It has proven useful to a variety of audiences and is used in this publication to organize information and cybersecurity best practices in an accepted and logical format,” the authors wrote.
Although cybersecurity is not a priority for many small businesses, the fact of the cyberthreat landscape today is that all organizations—large or small—are targets. All organizations maintain information that is valuable to their operations, much of which is also sensitive. Even if a business does not hold intellectual property or feels it is too small to be of interest, data on employees, customers and clients often contains personally identifiable information, sought by criminals for identify theft and other types of fraud.
Maybe more importantly, small businesses are part of the greater supply chain and can be targeted by organized criminals and nation-sponsored hackers as vulnerable back doors to larger, more high-profile businesses. Breaches of major corporations, government contractors and federal agencies often are the result of initial compromises at smaller companies.
Contractors, regardless of size, are increasingly being held accountable for cybersecurity by their clients and customers. Defense Department Contractors now must meet government requirements for securing sensitive and classified government information in their IT systems.
In addition to regulatory requirements, a good-faith effort in complying with best practices and guidelines can help reduce legal and financial liability in the wake of a breach, and can help businesses qualify for cyber insurance.
In other words, cybersecurity is your responsibility whether you realize it or not. The revised guidance describes how to implement an information security program and key actions for improving cybersecurity, and identifies user practices that can be implemented immediately to help protect systems and information. It contains examples of security policy and procedure statements and worksheets for conducting a risk analysis.
If you want more detailed information on cybersecurity, NIST has produced an extensive library of guidance, standards and best practices