How can smaller businesses address their cybersecurity risks without the resources of large organizations?
There are a lot of challenges to being a small-business owner, including safely managing technology. Every risk can have an outsized effect on your ability to stay in business. And resources for protecting your business are often geared towards much larger organizations. The National Institute of Standards and Technology (NIST) aims to change that, with the release of their Small Business Cybersecurity Corner.
How is protecting a smaller business different?
On a fundamental level, the techniques needed to protect a small business aren’t all that different from those needed to protect a very large organization. The biggest differences boil down to complexity, expertise, and resilience.
A small network will necessarily be a lot less complex, which means it can be easier to protect. But if you don’t have the expertise to know whether you’ve adequately protected your data and devices, that simplicity is largely irrelevant. And while the cost of a security incident may be lower because of a small number of records or machines affected, if it’s a huge percentage of a small amount of profit, it can be very difficult for businesses to bounce back.
Existing advice for assessing and protecting against cybersecurity risks can often seem overwhelming to those who aren’t computer experts. But now, there’s a specific resource that speaks to smaller businesses. And it uses more approachable language, to help smaller companies understand their specific risks as well as the measures used to mitigate them.
NIST resources for small businesses
Let’s do a quick tour of NIST’s Small Business Cybersecurity Corner, to illustrate the variety of resources they’re offering. The first section is Cybersecurity Basics, which is a great place to start.
This section has three sub-sections: “Cybersecurity Risks”, “For Managers”, and “Glossary”. The Cybersecurity Risks page has two groups of articles. The first group is called “Risks & Threats”; this covers a wide variety of common concerns, and it’s well balanced between helping you understand threats as well as how to address or identify them. The second group is called “Risk Management”, and it specifically discusses risk management myths as well as providing statistics that stress the importance of managing technological risk.
The “For Managers” section covers security from a management perspective. This includes Board-level discussions of security and risk, topics of discussion for CEOs considering their company’s security posture, improving security culture at all levels of the organization, and how to hire new security staff.
The Glossary is just what you’d expect, and it covers several dozen terms describing security concepts that are used throughout the site.
The “Cybersecurity Basics” section is a good place to start for those who are very new to the topic of security, and may be a good review for people who are more familiar. The myths document is likely to be particularly helpful for those who are coming in with some level of security preconceptions.
This section has the sort of content that NIST has become well known for, as well as additional articles covering these resources in clearer, less technical language.
The “Cybersecurity Resources Roadmap” is a good place to start when navigating this section. It is an infographic to help you determine how to get started, or where you need to go if you are further along on your journey towards protecting your environment. Each tier will point you to the specific resources that will be most helpful.
Responding to a Cyber Incident
This section is where to go if you’ve been the victim of a security event and need to know what to do next. The data breach guide even includes a sample template for a breach response notification, so you can ensure that you’ve covered the necessary bases as efficiently and professionally as possible, even in a very stressful situation.
This section was created with the NIST Manufacturing Extension Partnership, and is geared primarily towards small manufacturers. This goes into more detail about the NIST 800-171 Handbook to assist those who supply products for the Department of Defense.
This section is a list of resources and other government organizations helping to improve cybersecurity. I’d like to draw particular attention to the National Initiative for Cybersecurity Education (NICE) Workforce Management Guidebook, which can be particularly helpful if you’re at a point of wanting to hire people to help improve your security capability.
The FAQ section answers frequently asked questions about the NIST Small Business Cybersecurity site itself, such as why small to medium-sized businesses need to be concerned about security.
Once you’ve gotten up to speed on the basics, you may wish to revisit the site regularly, to see what the newest topics of interest are. The Blog section is periodically updated with things that NIST is doing, as well as current events of interest.
I hope NIST’s efforts are only the beginning of a major trend towards educating small-business owners about security topics. There’s a tremendous need that must be filled, especially around making regulatory compliance understandable by mere mortals. If you own a small business, do you think this level of information is useful? If so, why? Or if not, what would you like to see done differently?