Small businesses don’t have the resources they need to thwart the cybersecurity attacks threatening their survival. In this report, you’ll learn how a government agency is changing that and how small businesses can benefit from these efforts.
- The US has more than 32 million small businesses employing more than 61 million people.
- Cyber attacks to small and medium-sized businesses have increased by 150 percent over the past two years.
- Small businesses are increasingly facing cyber threats, such as an uptick in ransomware attacks, but only about half of US small businesses have any kind of cybersecurity defenses in place.
- This guide provides an overview of the existing free resources and the latest programs for small business cybersecurity from the National Institute of Standards and Technology (NIST), a federal agency within the US Department of Commerce.
- This guide also provides pointers to other free cybersecurity resources targeting small businesses.
- Threats against small businesses
- NIST community of interest
- Connections Initiative
- Small Business Corner
- NIST framework
- Small business resources
Cyber threats against small businesses
It’s natural to think, why would some cybercriminal want to attack my small business? Unfortunately, it’s happening all the time. Every year Verizon publishes its respected Data Breach Investigations Report (DBIR) based on the previous year’s cybercrime reports. The most recent DBIR has some alarming insights:
- Small businesses can be more attractive targets than larger ones because an attacker can endanger the survival of a small business through a single attack.
- Ransomware is the largest threat today against the smallest businesses.
- Insiders, like disgruntled employees, are responsible for over one-third of cybersecurity incidents involving the smallest businesses.
Most attacks today occur for financial reasons. A small business owner may be more willing than a large business owner to pay a ransom in order to hopefully regain access to systems and data, especially if that small business owner doesn’t have safeguards in place like offline data backups. But paying a ransom doesn’t guarantee a return to normal operations. A single attack from a determined attacker can shut down many small businesses, sometimes permanently.
According to the Center for Strategic and International studies, 42 percent of small- and medium-sized businesses had to deal with the impacts of some kind of cyber attack in the past year.
To emphasize the importance of small business cybersecurity and improve support for it, in 2023 the White House announced the National Cybersecurity Strategy. As articulated in the strategy itself, “too much of the responsibility for cybersecurity has fallen on individual users and small organizations.” The strategy also asserts that “small businesses…have limited resources and competing priorities, yet [their] choices can have a significant impact on our national cybersecurity….Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens.”
US Senator Chris Van Hollen (D-MD) recently remarked that the strategy “will help ensure that the Internet remains open and free while protecting the privacy of individuals and the security of critical networks.” Every chain is only as strong as its weakest link, and there is increasing recognition that in our society, everyone must do their part to strengthen the chain for the mutual benefit of all of us.
NIST’s Small Business Cybersecurity Community of Interest
Days after the release of the National Cybersecurity Strategy, NIST announced the launch of its Small Business Cybersecurity Community of Interest. Associated with NIST’s National Cybersecurity Center of Excellence (NCCoE), this Community of Interest (COI) is one of dozens for cybersecurity that NIST currently supports and makes available for anyone to join for free.
There are no qualifications or fees for membership, and you’re welcome to become a member whether you’re from a small business or a technology vendor, an industry group, an academic institution, a government agency, or any other organization—or interested on your own in small business cybersecurity.
Each of NIST’s COIs is unique in terms of its membership and offerings. Generally, a cybersecurity COI is announced when NIST is launching a major new project, preparing to engage with a particular sector, or planning on providing guidance on securing a particular type of technology. Last year NIST launched a new type of COI, called a community COI, to increase engagement with the academic community. The Small Business COI is NIST’s second community COI.
In the first few weeks after the Small Business COI was announced, hundreds of people had already joined it, according to NIST. The COI’s primary communications mechanism is a mailing list, which keeps COI members up-to-date on the COI’s activities, as well as any new NIST publications, webinars, and other resources and events pertinent to small business cybersecurity.
One of the first emails to the COI was on the release of a white paper, Security Segmentation in a Small Manufacturing Environment. NIST has also announced a webinar on small businesses managing their privacy risks to coincide with National Small Business Week.
With the Small Business COI in startup mode, NIST is still planning what features and benefits the COI will provide over the coming years in addition to the mailing list. However, it’s possible to make educated guesses based on what NIST’s other COIs offer. Here are typical COI benefits that small businesses joining the COI are likely to receive:
- Gain increased awareness of cybersecurity threats, vulnerabilities, and risks, and a better understanding of what needs to be done
- Interact with NIST experts and other small businesses through periodic COI meetings
- Be invited to offer suggestions to NIST for new cybersecurity resources specific to small business, as well as small business considerations that NIST should take into account within their other cybersecurity resources
- Be encouraged to provide comments on new draft NIST cybersecurity publications
- Learn about NIST’s cybersecurity resources and how small businesses can best utilize them
Pete Tseronis, founder and CEO of Dots and Bridges, a small business tech firm, recently explained the benefits of joining the Small Business COI: “I get to sit at the table and get to build trust with the federal government, NIST, on standards or regulation or policy. So it’s a no brainer, and if you’re in sales or business development or marketing…this is how you meet the people where the problems are being addressed.”
Cybersecurity Connections Initiative
At the same event where NIST launched the Small Business COI, NIST also announced the new Cybersecurity Connections Initiative. The Initiative brings together high-tech businesses in Montgomery County, Maryland, where NIST is located, with the cybersecurity experts at NIST. NIST will learn more about business cybersecurity needs, particularly for small businesses, and NIST will also provide cybersecurity companies with insights on how they can better help small businesses with their cybersecurity needs.
Several public officials spoke at the announcement event, including Department of Commerce Deputy Secretary Don Graves. He explained that the new Initiative “will team cybersecurity providers and consumers to deliver cybersecurity goods and services to smaller businesses and organizations to meet these businesses and the challenges they face where they are, as opposed to making them come to us…and try and figure out, is this what I need?” This reiterates the importance of providing small businesses with actionable information and tools that reduce the burden these businesses currently face.
Another speaker at the event, US Senator Ben Cardin (D-MD), said: “As the Chair of the Senate Small Business and Entrepreneurship Committee, I am grateful for this much needed outreach program that will work with our small businesses who are both consumers and providers of cybersecurity solutions.” This is a unique characteristic of the Initiative’s scope: government collaborating simultaneously with small businesses on both sides of cybersecurity implementation, bringing all the key parties together.
NIST’s Small Business Cybersecurity Corner
NIST’s Small Business COI is the latest in over 20 years of NIST efforts specifically targeting small businesses. In the early 2000s, NIST began collaborating with the Small Business Administration (SBA) and the Federal Bureau of Investigation (FBI) on security outreach meetings for small business.
At the same time, NIST launched what it initially called the Small Business Corner, a website with a variety of security resources specifically for small business.
What’s now called the Small Business Cybersecurity Corner has greatly evolved since its initial launch. It hosts a diverse assortment of resources, including the following:
- Links to dozens of websites, fact sheets, blog posts, case studies, planning tools and workbooks, and other cybersecurity resources for small businesses from NIST, the Cybersecurity & Infrastructure Security Agency (CISA), the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), and other federal agencies, as well as trade associations and non-profit groups
- An online glossary of cybersecurity-related terms that small businesses are likely to encounter
- Insights on how small businesses can use the NIST Cybersecurity Framework
- Guidance to help small businesses respond to a cybersecurity incident, such as a data breach or ransomware attack
- Links to free cybersecurity training courses, including a NIST presentation on the fundamentals of cybersecurity for small business
- NIST videos on protecting small businesses from phishing, ransomware, and other threats
In addition to these resources, NIST also has more cybersecurity resources that may be helpful to small business. For example, NIST’s Cybersecurity Insights blog frequently provides insights and advice on particular cybersecurity topics for small business. NIST also has a 54-page publication titled Small Business Information Security: The Fundamentals, which is written specifically for owners of small businesses and is based on the widely adopted NIST Cybersecurity Framework.
The NIST Cybersecurity Framework
Since NIST launched the Cybersecurity Framework over 10 years ago, it has been widely adopted by organizations of all types around the world. What differentiated the Cybersecurity Framework (CSF) from most other security guidance was that it is outcome-based.
In other words, the CSF tells organizations what they need to achieve with cybersecurity in terms of outcomes, instead of the details of how they need to achieve it. This gives organizations a great deal of flexibility in deciding how to implement their cybersecurity protections.
Here’s one example from the framework, “Asset vulnerabilities are identified and documented.” Finding vulnerabilities in software, like missing operating system and application patches, is certainly an important part of cybersecurity, so it’s included in the CSF
But there are many ways to identify and document vulnerabilities. A large enterprise is likely to use numerous automated systems to monitor their servers, end user devices, and other systems for vulnerabilities, but the types and details of these systems will be unique to each enterprise.
A small business, on the other hand, might not have a centralized system for automatic vulnerability identification. Instead, they might rely on using features built into their end-user device operating systems to notify users when a new patch is available or to automatically install patches as soon as they become available. Because the CSF doesn’t specify the “how,” it can apply to any organization regardless of size, so small businesses using the CSF have to figure out their “how.”
NIST has recognized the need for more CSF guidance for small businesses, and they’ve responded in several ways. For example, they’ve established a CSF resources page for small and medium-sized businesses. They’ve also published Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide specifically to help small businesses with CSF implementation.
This guide provides recommendations for the most important activities to typically perform without being overly prescriptive. This gives small businesses more guidance on how to address cybersecurity needs while still giving each business the flexibility to choose the solutions that work best for them.
NIST has taken a similar approach with its ransomware guidance. To help all organizations thwart ransomware, NIST has published a report, Ransomware Risk Management: A Cybersecurity Framework Profile. The report defines a CSF Profile, which provides guidance to organizations on implementing the portions of the CSF that are particularly important for stopping ransomware. To complement the Profile, NIST has also released a quick start guide titled Getting Started with Cybersecurity Risk Management | Ransomware. NIST’s quick start guides are a sound place for small businesses to get advice on low-cost actions they can take to tackle the biggest threats they face.
A major update to CSF is currently under development at NIST. NIST has publicly stated that they will take small business needs into greater consideration in CSF version 2.0.
Cybersecurity resources for small businesses
The Cybersecurity Guide for Small Business helps small businesses to understand the cybersecurity threats against them, the risks they face, and the actions they can take to address their vulnerabilities.
NIST’s Small Business Cybersecurity Corner is a site with links to several dozen useful resources for small businesses, including cybersecurity guides, training courses, and videos. Other federal agencies offer additional resources, including the Cybersecurity & Infrastructure Security Agency (CISA), the Small Business Administration (SBA), and the Federal Communications Commission (FCC).
Sign up for NIST’s Small Business COI here: https://www.nccoe.nist.gov/get-involved/join-community-interest. All NIST COI mailing lists are low-volume, with each email highlighting something you’ll likely be interested in.
The National Cyber Security Centre in the UK offers its Small Business Guide: Cyber Security resource, which explains several basic cybersecurity actions that every small business should take.