• United States




NIST Cybersecurity Framework not just for large organizations

Oct 17, 20174 mins
Application SecurityData and Information SecurityNetwork Security

Small and mid-sized businesses are at most risk and so have greater need.

The National Institute of Standards and Technology (NIST) has been dedicating a lot of time and effort to help organizations improve their cybersecurity. We’ve looked at NIST’s Cybersecurity Framework, we’ve talked about how to build it right and the importance of long term resilience. In this article, we’d like to dispel the erroneous idea that NIST’s guidelines are just for large organizations. 

Cybercrime is a great threat, regardless of the size of your business, but there are compelling reasons that smaller businesses need to be sitting up, paying attention and, most importantly, taking action.

Going out of business

“Small- and medium-sized businesses are drivers of the economy. Statistics show that when [these businesses] are the victim of a cyberattack they go out of business in less than a year,” Walter Copan, the President’s current nominee for the NIST director post, told Science magazine recently.

Sadly, it’s true. Big data breaches may make the headlines, but large organizations usually have the resources and resilience to recover, whereas smaller businesses may never recover. Consider that 60% of all small businesses that suffer a cyber-attack go out of business within six months, according to the U.S. National Cyber Security Alliance.

That’s a frightening statistic and it highlights the need for small businesses to seek out advice and consider the best plan. If you’re inexperienced when it comes to cybersecurity, then NIST’s Small Business Information Security: The Fundamentals is a very good place to start.

“Many small businesses think that cybersecurity is too expensive or difficult; Small Business Information Security is designed for them,” says lead author, Pat Toth in a NIST article.

Low hanging fruit

For cybercriminals, the path of least resistance is often the one they’ll take. They won’t hack through a clever set of defenses when they can con a password out of someone with administration privileges. By that same token, it’s often much easier to gain access to a small business than a large one, because basic defenses are limited or entirely lacking.

When a Manta poll asked 1,420small business owners whether they felt at risk of a data breach, a whopping 87% answered no. To make matters worse, 31% of small business owners admitted that they have no controls in place to prevent attacks. A lack of proper cybersecurity tools and expertise can be disastrous and it often is.

From phishing scams to insecure IoT devices there are risks and vulnerabilities everywhere. No wonder then, that in 2016 when the Ponemon Institute surveyed 600 IT leaders at small and medium sized businesses, it found that half of them had been breached in the previous 12 months. Only 14% of the companies in the study rated their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective.

What should you do?

The NIST guide we linked above is designed to assist you in running a simple risk assessment, which is always the first step towards understanding your vulnerabilities.  The basic principles of the Cybersecurity Framework are every bit as applicable to small businesses as they are to large organizations, so think about staff education and information security training, lock down access to sensitive data, encrypt data, monitor and filter traffic, and keep the software you use fully up to date with the latest security patches.

Another vital step to take, which may seem like a lot of work upfront but will most certainly save you a lot of pain if you suffer a breach, is to develop an Incident Response plan and create a Play Book. Having a procedure to follow when the worst happens can be the difference between a manageable problem and the end of your business.

We know it’s not always feasible for small businesses to have an InfoSec professional on the team, but it can be worthwhile engaging cybersecurity expertise on a short-term basis, to help you formulate your plans and ensure that you’re prepared. You might also consider cyber insurance for more peace of mind.

As big businesses tighten up their cybersecurity defenses, the risk for small and mid-sized businesses is only going to grow bigger. We’re glad to see smaller businesses make NIST more of a priority. NIST’s framework can provide a lot of useful, actionable and repeatable advice, so make sure you take advantage.


Michelle Drolet is a seasoned security expert with 26 years of experience providing organizations with IT security technology services. Prior to founding Towerwall (formerly Conqwest) in 1993, she founded CDG Technologies, growing the IT consulting business from two to 17 employees in its first year. She then sold it to a public company and remained on board. Discouraged by the direction the parent company was taking, she decided to buy back her company. She re-launched the Framingham-based company as Towerwall. Her clients include Biogen Idec, Middlesex Savings Bank, PerkinElmer, Raytheon, Smith & Wesson, Covenant Healthcare and many mid-size organizations.

A community activist, she has received citations from State Senators Karen Spilka and David Magnani for her community service. Twice she has received a Cyber Citizenship award for community support and participation. She's also involved with the School-to-Career program, an intern and externship program, the Women’s Independent Network, Young Women and Minorities in Science and Technology, and Athena, a girl’s mentorship program.

Michelle is the founder of the Information Security Summit at Mass Bay Community College. Her numerous articles have appeared in Network World, Cloud Computing, Worcester Business Journal, SC Magazine, InfoSecurity,, Web Security Journal and others.

The opinions expressed in this blog are those of Michelle Drolet and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.