NIST Small Business Cybersecurity Corner
Unless you have been living under a rock the past few years, you know that cybersecurity and information security (InfoSec) are constantly in the mainstream news.
Unfortunately, most of the “breach news” being reported, is in response to a large organization being involved. We never hear about the small business breaches and incidents that happen right in our backyards.
The “little guy” is often forgotten about when it comes to the world of security. Not just in the news, but also with the solutions being created. It seems like every new and emerging technology is focused on solving the issues we read about, not the ones we don’t.
Fortunately, for small businesses, there are security organizations looking out for them!
No, this is not the part where we toot our own horn and say “like Beryllium InfoSec Collaborative.” We are talking about the National Institute of Standards and Technology (NIST).
Recently, NIST did a great thing and created the “Small Business Cybersecurity Corner” for small to medium size business leaders to reference when developing or strengthening their security programs.
Why is this so great? NIST is a non-regulatory agency for the United States Department of Commerce. Which means, they cannot enforce businesses to do anything.
Their sole purpose and mission is to promote innovation and industrial competitiveness. They use their high level expertise to make recommendations on ways to implement everything from technology, engineering, information technology, cybersecurity, information security and more.
The key word is expertise. In today’s digitally connected world, expertise is vital. The days of having a “one stop shop” for anything related to security or technology, are over.
Small businesses cannot afford to develop, implement, manage and always be improving their security “in-house.” They need to use the power of collaboration using subject matter expertise.
In one fashion or another, everything maps back to NIST. If you are a small business, you should not be trying to implement the same security controls as Fortune 500 organizations.
Small businesses should be utilizing the proper resources and expertise, to find the best security standard that fits their business. The NIST Small Business Cybersecurity Corner is a great resource, but where does one go to find the expertise to implement some of the recommendations that NIST provides?
Feeling paralyzed on where to start?
At Beryllium, we believe in the power of true collaboration.
Let’s peel back some of the areas within the Small Business Cybersecurity Corner, to gain a better understanding of what resources small to medium size businesses have at their fingertips.
Awareness is huge for small businesses when it comes to security. No one is expected to know everything, but with so many buzz terms in the security world these days, knowing the basics is extremely helpful when making investments in cost-effective security solutions.
The Cybersecurity Risks section NIST provides is a tad lengthy, but provides good links for learning more about what risk every small business faces. We highly recommend you take some time to read through each, so the attacks you hear and read about in the news, become easier to comprehend.
One area of focus is communication. Effectively communicating security throughout an organization can be challenging. Based on roles, the risks people associate with security with can vary.
For example, the c-suite will view risk differently than the accounts payable team. While the accounts payable team will view risk differently than the sales team. For some tips on how to communicate effectively, check out the For Managers section.
Do you keep hearing the same term or acronym during security discussions, but aren’t exactly sure what it means? Have no fear…the Glossary is your saving grace!
Planning is essential for all aspects of running a successful small business. When it comes to cybersecurity and information security, planning can be difference between life and death for a small business.
The Planning Tools & Workbooks section takes a dive in to things like security road maps, cyber insurance and security plan templates. Sounds easy, right? Not necessarily.
Remember the emphasis on “expertise” mentioned above? These are things you should be working with experts on, because a third party’s opinion brings a new perspective on risk heavy decisions.
Example? Cyber insurance. There are a lot of insurance providers claiming to have the best cyber insurance policies. But do they? Make sure to shop around. Start with someone like Risk Placement Services (RPS) who truly does understand cyber insurance, at levels small businesses can afford.
Not sure what standard to attest to? Are you being told by a customer that you need to be NIST 800-53 or ISO 2700-01? Although those are fairly recognizable standards, they are quite robust security programs, and could be daunting for your organization to implement.
Our suggestion: Look in to the NIST Cybersecurity Framework (often referred to as “NIST CSF”). It caters well to small businesses who want a higher level of cyber hygiene, without having to focus on control sets that do not relate to their business. NIST CSF is a great standard to attest to if a business wants an adequate level of cyber hygiene.
Guidance by Topic
Within the Guidance by Topic section, you can go directly to resources that are driven by topics such as compliance, employee awareness, developing secure products and more. We are going to focus on two: compliance and employee awareness.
When it comes to compliance, businesses need to change their mindset from a “finish line” to a “journey.”
When security is forgotten, it breaks. At Beryllium, we work with businesses to not only identify what compliance standards they are required to meet, but help them stay compliant once they have met the requirements.
Make sure your business has the right security partner to join you on that journey.
Employee Awareness is a no-brainer for every businesses, big or small. By now, you likely know that people are the biggest threat to your businesses, but also the number one target of malicious actors.
Although NIST provides some free resources for awareness training, we highly advise you work with subject matter experts. Why? Because training is only as good as the effort put forth by the person(s) championing the program.
Cyber awareness and employee training are separate focuses, yet both are cost-effective. In fact, they are the biggest return on security investment an organization will receive. If you are not continuously building cyber awareness and training your employees effectively, what is your defense in the event that a breach happens through phishing or social engineering attacks?
One of the industry leading information security training and awareness solutions, which is also affordable, is InteProIQ.
Their phishing simulation tool is second to none. The training modules are easy to deploy and complete. By training and testing your workforce, your business’ cyber hygiene will increase dramatically.
Responding to a Cyber Incident
The stats show that every business is a target and a future breach is likely. Gartner predicts 60% of businesses will suffer major service failures due to the inability of IT security teams to manage digital risk, in relation to cyber incidents.
No business is 100% secure. A business can invest every free dollar they have, defending against a breach, but what happens when a malicious actor gains access to your network? It only takes one click!
The immediate steps to stop and limit the impact of a breach are the difference between “minimal” and “detrimental.”
Having an incident response plan is something every business needs. Small to enterprise, that plan needs to be well thought out…and practiced! What good is a plan if no one follows it?
Work with a third party subject matter expert when building (and testing!) an incident response plan. Before doing so, study the information NIST provides via the Cybersecurity Corner. It will help you in your selection process.
When testing your plan, work with ethical hackers who can simulate what the “bad guys” are doing. It is a lot less impact to the bottom line to have them find out, than an actual bad guy. An organization of ethical hackers like RedTeam Security is a great place to start.
To recap, Beryllium InfoSec Collaborative’s mission is to help small businesses go from paralyzed to empowered in regards to cyber security and information security. In order to begin on the correct journey, business leaders need a reliable place to start. NIST’s Small Business Cybersecurity Corner is a great place to do that.