Cybersecurity Guide

Understanding how cybersecurity is critical for small businesses

Written by Karen ScarfoneLast updated:
In this guide

Small businesses don’t have the resources they need to thwart the cybersecurity attacks threatening their survival. In this report, you’ll learn how a government agency is changing that and how small businesses can benefit from these efforts.

KEY TAKEAWAYS

  • The US has more than 32 million small businesses employing more than 61 million people.
  • Cyber attacks on small and medium-sized businesses have increased by 150 percent over the past two years.
  • Small businesses are increasingly facing cyber threats, such as an uptick in ransomware attacks, but only about half of US small businesses have any kind of cybersecurity defenses in place.
  • This guide provides an overview of the existing free resources and the latest programs for small business cybersecurity from the National Institute of Standards and Technology (NIST), a federal agency within the US Department of Commerce
  • This guide also provides pointers to other free cybersecurity resources targeting small businesses. 
In this episode of the Cybersecurity Guide podcast, cybersecurity writer and consultant Karen Scarfone talks about cybersecurity for small businesses.

Cyber threats against small businesses

It’s natural to think, why would some cybercriminal want to attack my small business? Unfortunately, it’s happening all the time.

Every year Verizon publishes its respected Data Breach Investigations Report (DBIR) based on the previous year’s cybercrime reports.

The most recent DBIR has some alarming insights:

  • Small businesses can be more attractive targets than larger ones because an attacker can endanger the survival of a small business through a single attack. 
  • Ransomware is the largest threat today against the smallest businesses.
  • Insiders, like disgruntled employees, are responsible for over one-third of cybersecurity incidents involving the smallest businesses.

Most attacks today occur for financial reasons. A small business owner may be more willing than a large business owner to pay a ransom in order to hopefully regain access to systems and data, especially if that small business owner doesn’t have safeguards in place like offline data backups.

Learn more about cyber threats to small businesses

But paying a ransom doesn’t guarantee a return to normal operations. A single attack from a determined attacker can shut down many small businesses, sometimes permanently.

According to the Center for Strategic and International Studies, 42 percent of small- and medium-sized businesses had to deal with the impacts of some kind of cyber attack in the past year.

To emphasize the importance of small business cybersecurity and improve support for it, in 2023 the White House announced the National Cybersecurity Strategy.

As articulated in the strategy itself, 

“too much of the responsibility for cybersecurity has fallen on individual users and small organizations.” The strategy also asserts that “small businesses…have limited resources and competing priorities, yet [their] choices can have a significant impact on our national cybersecurity….Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens.”

US Senator Chris Van Hollen (D-MD) recently remarked that the strategy “will help ensure that the Internet remains open and free while protecting the privacy of individuals and the security of critical networks.”

Every chain is only as strong as its weakest link, and there is increasing recognition that in our society, everyone must do their part to strengthen the chain for the mutual benefit of all of us.

32 percent of ransomware attacks target businesses with fewer than 100 employees

NIST’s Small Business Cybersecurity Community of Interest

Days after the release of the National Cybersecurity Strategy, NIST announced the launch of its Small Business Cybersecurity Community of Interest. Associated with NIST’s National Cybersecurity Center of Excellence (NCCoE), this Community of Interest (COI) is one of dozens for cybersecurity that NIST currently supports and makes available for anyone to join for free

There are no qualifications or fees for membership, and you’re welcome to become a member whether you’re from a small business or a technology vendor, an industry group, an academic institution, a government agency, or any other organization—or interested in your own in small business cybersecurity.

Each of NIST’s COIs is unique in terms of its membership and offerings. Generally, a cybersecurity COI is announced when NIST is launching a major new project, preparing to engage with a particular sector, or planning on providing guidance on securing a particular type of technology.

Last year NIST launched a new type of COI, called a community COI, to increase engagement with the academic community. The Small Business COI is NIST’s second community COI.

In the first few weeks after the Small Business COI was announced, hundreds of people had already joined it, according to NIST.

The COI’s primary communications mechanism is a mailing list, which keeps COI members up-to-date on the COI’s activities, as well as any new NIST publications, webinars, and other resources and events pertinent to small business cybersecurity. 

One of the first emails to the COI was on the release of a white paper, Security Segmentation in a Small Manufacturing Environment. NIST has also announced a webinar on small businesses managing their privacy risks to coincide with National Small Business Week.

With the Small Business COI in startup mode, NIST is still planning what features and benefits the COI will provide over the coming years in addition to the mailing list. However, it’s possible to make educated guesses based on what NIST’s other COIs offer.

Here are typical COI benefits that small businesses joining the COI are likely to receive:

  • Gain increased awareness of cybersecurity threats, vulnerabilities, and risks, and a better understanding of what needs to be done
  • Interact with NIST experts and other small businesses through periodic COI meetings
  • Be invited to offer suggestions to NIST for new cybersecurity resources specific to small businesses, as well as small business considerations that NIST should take into account within their other cybersecurity resources
  • Be encouraged to provide comments on the new draft of NIST cybersecurity publications
  • Learn about NIST’s cybersecurity resources and how small businesses can best utilize them 

Pete Tseronis, founder and CEO of Dots and Bridges, a small business tech firm, recently explained the benefits of joining the Small Business COI:

“I get to sit at the table and get to build trust with the federal government, NIST, on standards or regulation or policy. So it’s a no-brainer, and if you’re in sales or business development or marketing…this is how you meet the people where the problems are being addressed.”

Cybersecurity Connections Initiative

At the same event where NIST launched the Small Business COI, NIST also announced the new Cybersecurity Connections Initiative. The Initiative brings together high-tech businesses in Montgomery County, Maryland, where NIST is located, with the cybersecurity experts at NIST.

NIST will learn more about business cybersecurity needs, particularly for small businesses, and NIST will also provide cybersecurity companies with insights on how they can better help small businesses with their cybersecurity needs. 

Several public officials spoke at the announcement event, including Department of Commerce Deputy Secretary Don Graves. He explained that the new Initiative “will team cybersecurity providers and consumers to deliver cybersecurity goods and services to smaller businesses and organizations to meet these businesses and the challenges they face where they are, as opposed to making them come to us…and try and figure out, is this what I need?” This reiterates the importance of providing small businesses with actionable information and tools that reduce the burden these businesses currently face.

Another speaker at the event, US Senator Ben Cardin (D-MD), said: “As the Chair of the Senate Small Business and Entrepreneurship Committee, I am grateful for this much-needed outreach program that will work with our small businesses who are both consumers and providers of cybersecurity solutions.” This is a unique characteristic of the Initiative’s scope: the government collaborating simultaneously with small businesses on both sides of cybersecurity implementation, bringing all the key parties together.

NIST’s Small Business Cybersecurity Corner

NIST’s Small Business COI is the latest in over 20 years of NIST efforts specifically targeting small businesses. In the early 2000s, NIST began collaborating with the Small Business Administration (SBA) and the Federal Bureau of Investigation (FBI) on security outreach meetings for small businesses. 

At the same time, NIST launched what it initially called the Small Business Corner, a website with a variety of security resources specifically for small businesses.

What’s now called the Small Business Cybersecurity Corner has greatly evolved since its initial launch. It hosts a diverse assortment of resources, including the following:

In addition to these resources, NIST also has more cybersecurity resources that may be helpful to small businesses. For example, NIST’s Cybersecurity Insights blog frequently provides insights and advice on particular cybersecurity topics for small businesses.

NIST also has a 54-page publication titled Small Business Information Security: The Fundamentals, which is written specifically for owners of small businesses and is based on the widely adopted NIST Cybersecurity Framework.

The NIST Cybersecurity Framework

Since NIST launched the Cybersecurity Framework over 10 years ago, it has been widely adopted by organizations of all types around the world. What differentiated the Cybersecurity Framework (CSF) from most other security guidance was that it is outcome-based. 

In other words, the CSF tells organizations what they need to achieve with cybersecurity in terms of outcomes, instead of the details of how they need to achieve it. This gives organizations a great deal of flexibility in deciding how to implement their cybersecurity protections.

Here’s one example from the framework, “Asset vulnerabilities are identified and documented.”

Finding vulnerabilities in software, like missing operating systems and application patches, is certainly an important part of cybersecurity, so it’s included in the CSF.

However, there are many ways to identify and document vulnerabilities. A large enterprise is likely to use numerous automated systems to monitor their servers, end-user devices, and other systems for vulnerabilities, but the types and details of these systems will be unique to each enterprise. 

A small business, on the other hand, might not have a centralized system for automatic vulnerability identification. Instead, they might rely on using features built into their end-user device operating systems to notify users when a new patch is available or to automatically install patches as soon as they become available.

Learn more about vulnerabilities

Because the CSF doesn’t specify the “how,” it can apply to any organization regardless of size, so small businesses using the CSF have to figure out their “how.”

NIST has recognized the need for more CSF guidance for small businesses, and they’ve responded in several ways. For example, they’ve established a CSF resources page for small and medium-sized businesses. They’ve also published Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide specifically to help small businesses with CSF implementation.

This guide provides recommendations for the most important activities to typically perform without being overly prescriptive. This gives small businesses more guidance on how to address cybersecurity needs while still giving each business the flexibility to choose the solutions that work best for them.

NIST has taken a similar approach with its ransomware guidance. To help all organizations thwart ransomware, NIST has published a report, Ransomware Risk Management: A Cybersecurity Framework Profile.

The report defines a CSF Profile, which provides guidance to organizations on implementing the portions of the CSF that are particularly important for stopping ransomware. To complement the Profile, NIST has also released a quick start guide titled Getting Started with Cybersecurity Risk Management | Ransomware.

NIST’s quick start guides are a sound place for small businesses to get advice on low-cost actions they can take to tackle the biggest threats they face.

A major update to CSF is currently under development at NIST. NIST has publicly stated that they will take small business needs into greater consideration in CSF version 2.0.

Cybersecurity resources for small businesses

The Cybersecurity Guide for Small Business helps small businesses understand the cybersecurity threats against them, the risks they face, and the actions they can take to address their vulnerabilities.

NIST’s Small Business Cybersecurity Corner is a site with links to several dozen useful resources for small businesses, including cybersecurity guides, training courses, and videos.

Other federal agencies offer additional resources, including the Cybersecurity & Infrastructure Security Agency (CISA), the Small Business Administration (SBA), and the Federal Communications Commission (FCC)

Sign up for NIST’s Small Business COI here: https://www.nccoe.nist.gov/get-involved/join-community-interest. All NIST COI mailing lists are low-volume, with each email highlighting something you’ll likely be interested in. 

The National Cyber Security Centre in the UK offers its Small Business Guide: Cyber Security resource, which explains several basic cybersecurity actions that every small business should take. 

Frequently asked questions

Why is cybersecurity important for small businesses?

Cybersecurity is vital for small businesses because they are often targeted by cybercriminals due to their perceived lack of robust security measures. Protecting sensitive data and maintaining trust with customers is paramount for business success.

Are small businesses really at risk of cyberattacks?

Yes, small businesses are frequently targeted by cybercriminals. In fact, studies have shown that over 60% of cyberattacks are directed at small to medium-sized businesses.

What are the common cybersecurity threats faced by small businesses?

Small businesses often face threats like phishing attacks, ransomware, malware, and data breaches. These attacks can lead to financial losses, damage to reputation, and potential legal consequences.

How can small businesses improve their cybersecurity?

Small businesses can enhance their cybersecurity by implementing strong password policies, regularly updating software, training employees on security best practices, and investing in reliable security solutions.

Is investing in cybersecurity solutions expensive for small businesses?

While there are high-end cybersecurity solutions available, many affordable options are specifically designed for small businesses. Investing in cybersecurity can be cost-effective in the long run, considering the potential losses from a cyberattack.

Sources

  • 2023 Data Breach Investigations Report | Sourced from Verizon.com in October 2023.
  • National Cybersecurity Strategy | Sourced from Whitehouse.gov in October 2023.
  • Small Business Cybersecurity Corner | Sourced from NIST.gov in October 2023.
  • Small and Medium Business Resources | From NIST.gov in October 2023.
  • Getting Started with the NIST Cybersecurity Framework | From NIST.gov in October 2023.