NIST Small Business Information Security guide for Small businesses

The NIST Small Business Information Security: The Fundamentals guide aims to provide basic cybersecurity recommendations to small businesses.

I have always stressed the necessity to improve cyber security posture for small businesses that are most exposed to threat actors across the world. Now the National Institute of Standards and Technology has released a cybersecurity guide to support small businesses in securing their IT infrastructure.

The NIST “Small Business Information Security: The Fundamentals” guide aims to provide basic cybersecurity recommendations for small businesses through a risk assessment process.

“Businesses of all sizes face potential risks when operating online and therefore need to consider their cybersecurity,” she said. “Small businesses may even be seen as easy targets to get into bigger businesses through the supply chain or payment portals.” reads the NIST announcement. 

“Many small businesses think that cybersecurity is too expensive or difficult; Small Business Information Security is designed for them,” Toth said. “In fact, they may have more to lose than a larger organization because cybersecurity events can be costly and threaten their survival.” In fact, the National Cyber Security Alliance found that 60 percent of small companies close down(link is external) within the six months following a cyberattack.

This guide is an important exercise for small-business owners that are not experienced in cybersecurity, it explains to them how to protect their information systems from cyber threats.

The Small Business Information Security: The Fundamentals guide proposes a classic approach that follows the IDENTIFY/PROTECT/DETECT/RESPONSE/RECOVER steps focusing on understanding and managing risks for small businesses. The guide also includes worksheets that could be used by small businesses to identify the information they manage. It is essential to assess the information assets and identify potential risks to it.

Of course, the guide is based on NIST’s Framework for Improving Critical Infrastructure Cybersecurity, which was issued in 2014.

The NIST highlighted that the new guide describes how to:

• limit employee access to data and information;
• train employees about information security;
• create policy and procedures for information security;
• encrypt data;
• install web and email filters; and
• patch, or update, operating systems and applications.

The guide also suggests install surge protectors and uninterruptible power supplies, considering to transfer the risks with cybersecurity insurance; and find reputable cybersecurity contractors.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – NIST Small Business Information Security, cybersecurity)