NIST Cybersecurity Framework not just for large organizations

Small and mid-sized businesses are at most risk and so have greater need.

cyber crime cybersecurity
Pete Linforth (CC0)

The National Institute of Standards and Technology (NIST) has been dedicating a lot of time and effort to help organizations improve their cybersecurity. We’ve looked at NIST’s Cybersecurity Framework, we’ve talked about how to build it right and the importance of long term resilience. In this article, we’d like to dispel the erroneous idea that NIST’s guidelines are just for large organizations. 

Cybercrime is a great threat, regardless of the size of your business, but there are compelling reasons that smaller businesses need to be sitting up, paying attention and, most importantly, taking action.

Going out of business

“Small- and medium-sized businesses are drivers of the economy. Statistics show that when [these businesses] are the victim of a cyberattack they go out of business in less than a year,” Walter Copan, the President’s current nominee for the NIST director post, told Science magazine recently.

Sadly, it’s true. Big data breaches may make the headlines, but large organizations usually have the resources and resilience to recover, whereas smaller businesses may never recover. Consider that 60% of all small businesses that suffer a cyber-attack go out of business within six months, according to the U.S. National Cyber Security Alliance.

That’s a frightening statistic and it highlights the need for small businesses to seek out advice and consider the best plan. If you’re inexperienced when it comes to cybersecurity, then NIST’s Small Business Information Security: The Fundamentals is a very good place to start.

“Many small businesses think that cybersecurity is too expensive or difficult; Small Business Information Security is designed for them,” says lead author, Pat Toth in a NIST article.

Low hanging fruit

For cybercriminals, the path of least resistance is often the one they’ll take. They won’t hack through a clever set of defenses when they can con a password out of someone with administration privileges. By that same token, it’s often much easier to gain access to a small business than a large one, because basic defenses are limited or entirely lacking.

When a Manta poll asked 1,420small business owners whether they felt at risk of a data breach, a whopping 87% answered no. To make matters worse, 31% of small business owners admitted that they have no controls in place to prevent attacks. A lack of proper cybersecurity tools and expertise can be disastrous and it often is.

From phishing scams to insecure IoT devices there are risks and vulnerabilities everywhere. No wonder then, that in 2016 when the Ponemon Institute surveyed 600 IT leaders at small and medium sized businesses, it found that half of them had been breached in the previous 12 months. Only 14% of the companies in the study rated their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.

What should you do?

The NIST guide we linked above is designed to assist you in running a simple risk assessment, which is always the first step towards understanding your vulnerabilities.  The basic principles of the Cybersecurity Framework are every bit as applicable to small businesses as they are to large organizations, so think about staff education and information security training, lock down access to sensitive data, encrypt data, monitor and filter traffic, and keep the software you use fully up to date with the latest security patches.

Another vital step to take, which may seem like a lot of work upfront but will most certainly save you a lot of pain if you suffer a breach, is to develop an Incident Response plan and create a Play Book. Having a procedure to follow when the worst happens can be the difference between a manageable problem and the end of your business.

We know it’s not always feasible for small businesses to have an InfoSec professional on the team, but it can be worthwhile engaging cybersecurity expertise on a short-term basis, to help you formulate your plans and ensure that you’re prepared. You might also consider cyber insurance for more peace of mind.

As big businesses tighten up their cybersecurity defenses, the risk for small and mid-sized businesses is only going to grow bigger. We’re glad to see smaller businesses make NIST more of a priority. NIST’s framework can provide a lot of useful, actionable and repeatable advice, so make sure you take advantage.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart