Like much of IT, cybersecurity is not a one-size-fits-all proposition. The comprehensive approach that large enterprises should employ to identify and address risks and detect and respond to attacks is often out of reach for small businesses. Yet as the frequency and impact of cyberattacks on businesses of all sizes continues to grow, the typical small-business approach of taking the usual precautions and hoping for the best is proving to be inadequate.
Many small-business owners are willing to do more to improve their cybersecurity but don’t know what else to do. The number of options — whether products or services to purchase or policies and processes to adopt—can be paralyzing. In addition, much of cybersecurity is more organizational than technical in nature, making the IT department unsuited or unable to tackle it alone.
So, what should a small business do?
The National Institute of Standards and Technology (NIST) published a document in October 2009 titled Small Business Information Security: The Fundamentals, (NISTIR 7621). Seven years later, this document is still a great place to start. It consists of 10 “absolutely necessary” actions, 10 highly recommended practices and additional planning considerations. Besides listing some basic controls that every business should implement, it focuses heavily on training and awareness, which I firmly believe are underappreciated today.
A few topics that have become more relevant and accessible to small businesses since 2009 are absent from the NIST fundamentals. These include disk encryption and multifactor authentication, both of which should be part of even a basic cybersecurity program. A good next step after implementing the NIST fundamentals is to update them by ensuring that all portable media containing sensitive information are encrypted and that multifactor authentication is used for remote access wherever possible.
Once these bare basics are in place, another government tool points the way toward a more thorough, ongoing effort. The FCC’s Small Biz Cyber Planner generates a list of security controls and practices organized by topic. While it is more detailed than the NIST fundamentals overall, certain topics such as mobile devices, operational security and payment cards are worth focusing on, as they are notably absent in the NIST report.
Adopting a framework
In February 2014, NIST published a Cybersecurity Framework to help businesses and organizations address cybersecurity risks. The Framework Core consists of a broad listing of categories, subcategories and informative references across five cybersecurity functions — Identify, Protect, Detect, Respond and Recover. Fortunately for small businesses, adopting the framework does not consist of wholesale adoption of the core but of comparing current practices to the Framework Core while taking business requirements into account to identify gaps between cybersecurity actual results and goals. Furthermore, while the framework identifies four Framework Implementation Tiers of increasing sophistication, it is explicitly left to an organization to decide which of Tiers 2-4 is best for its needs (although those in Tier 1 should take action to improve).
In short, while the NIST Cybersecurity Framework is a comprehensive and detailed approach to cybersecurity, it is flexible enough to be useful for those small businesses that are willing to put forth the effort to be methodical in managing cybersecurity risk at an organizational level.
Locking it down
Finally, a publication by the nonprofit Center for Internet Security called the CIS Critical Security Controls for Effective Cyber Defense consists of 20 prioritized sets of actions that organizations can take to harden their cyber defenses. While complete adoption of all of the controls is unlikely to be achievable for most small businesses in the immediate future, they serve well as a technical reference and a window into what enterprise level cybersecurity looks like.
Steven Ellis has spent the last 16 years working at the intersection of business and technology for Bellwether Technology in New Orleans, where he serves as the company’s vice president.