Cybersecurity is complicated and small businesses have a hard time keeping up with it. They can’t afford the big staff and army of specialists which a large enterprise can hire. The National Institute of Standards and Technology (NIST) is well aware of this problem. That’s why it has set up the Small Business Cybersecurity Corner.
Browsing the site and bookmarking the most relevant articles can be a major help to managers trying to understand security procedures. Most of the material are links to third-party sites, focusing on basic issues. The site is oriented toward managers and IT generalists, not security specialists.
The creation of the Corner
On August 14, 2018, President Trump signed Senate Bill 770, the NIST Small Business Cybersecurity Act. The authors of the act were Senators Brian Schatz and James Risch. It directed NIST to provide “resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.” NIST complied by setting up the Cybersecurity Corner on the Web.
Sen Schatz said that “while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers.” Smaller organizations, by their nature, have limited resources and expertise outside their specialty. Their small size doesn’t save them from being targets, though.
Indeed, small business data networks are favorite targets of online criminals. Many of them are poorly protected, so it’s much easier to penetrate them than to get past a major corporation’s defenses. Even if they don’t have a great wealth of confidential data, they’re useful as jumping-off points. Criminals can install malware in machines that makes them part of “botnets.” A botnet of thousands or millions of machines can send out mountains of spam or launch massive attacks on bigger targets. A compromised site runs less efficiently and is more likely to crash as thieves siphon off its resources. Internet blacklists will mark it as a dangerous site, browsers will warn users against it, and filters will block its mail.
Every network which connects to the Internet is a constant target of probing. There’s no such thing as “too small to bother with.” Just as phone scammers dial one number after another, online attackers try every address on the Internet to see if there’s a weakness.
The damage an online attack can do to a small business is proportionately worse than to a large business. Smaller organizations have fewer reserves and can be pushed more quickly to the point of collapse. Small businesses account for 99.7% of the employers in the US, so their role in Internet safety is significant. The Small Business Cybersecurity Corner helps them to find the resources they need to reduce their risk.
Most of the site’s content are links to articles on aspects of business cybersecurity. These articles are found on the sites of the partners that have joined in the creation of the Cybersecurity Corner. The following contributors are listed:
Department of Homeland Security. DHS covers security in many forms, not all of which make headlines. It’s concerned about small business cybersecurity because the cumulative effect of small attacks can lead to major harm.
Federal Bureau of Investigation. Unauthorized computer breaches, large or small, are federal crimes, and they fall under the FBI’s area of concern. The better defended small networks are, the more resources the FBI can bring to bear on the attacks that get through.
Federal Communications Commission. Online crime is abuse of the national telecommunication networks, and the FCC is empowered and obligated to address the issue.
Small Business Administration. The SBA promotes the “establishment and viability of small businesses” in the United States, and their online security is a key part of their viability.
Department of Justice. The DoJ deals with every kind of federal crime, and online crime is a growing part of their caseload. If businesses can prevent more attacks, the DoJ can be more effective.
Global Cyber Alliance. The GCA is a non-profit organization founded as a partnership of law enforcement and research organizations. It promotes solutions to online risk on an international level.
National Cyber Security Alliance. The NCSA is a nonprofit organization which works with the DHS and with private sector sponsors. Its mission is to “educate and empower our global digital society to use the internet safely and securely.”
National Initiative for Cybersecurity Education. Operating under NIST’s Applied Cybersecurity Division, NICE is a partnership focusing on cybersecurity education and training.
Manufacturing Extension Partnership. The MEP National Network, a public-private partnership promoting manufacturing in the United States, has a strong interest in security resources for manufacturers.
How to use the information
The information on the Cybersecurity Corner is directed primarily at management. That can mean everyone from the CEO to information technology managers. It’s not a source of advanced technical details, but it provides the background for managing those details. At least one person in a position of responsibility needs to bookmark the site and develop a general familiarity with it.
This means reading it in advance. When a successful attack is underway, it’s too late to develop plans. Cybersecurity management is about prevention and well-planned reactions.
Any company, no matter how small, needs to have someone who’s responsible for cybersecurity. It ought to be a person with at least a general IT background. Most IT generalists don’t have deep knowledge of security issues, and they will benefit from studying the materials on the NIST’s site.
For high-level managers
CEOs and other high-level managers need to know something about online security even if they never touch a server. They have to approve policies and understand compliance requirements. They should spend some time reviewing the glossary on the site, to familiarize themselves with the terminology. The “For Managers” section under “Cybersecurity Basics” links to several articles that will aid them in their leadership role.
Managers should look at the articles under “Training” and “Employee Awareness.” Most security failures are at least partly the result of human error. People open phishing messages, visit suspect websites, and choose poor passwords. A well-trained workforce is much less vulnerable to trickery.
People in management should be aware of the compliance requirements for their particular business. For many businesses, the best way to meet the requirements is simply not to store certain types of sensitive data, such as credit card numbers. The “Compliance” header under “Guidance by Topic” will help them to determine which regulations and industry standards concern them.
The linked articles on “Vendor Security” and “Hiring a Webhost,” both from the FTC, discuss security considerations when setting up business partnerships. If a business arrangement involves giving sensitive information to another party, explicit agreements on information use and technical protections are both important.
For IT managers
People whose expertise is in installing and running computer systems and networks may find their abilities challenged when they have to protect them as well. The small-business IT person needs to have many skills.
The “All-Purpose Guides” header under “Guidance by Topic” provides a good selection of articles for improving security. “Information Security for Small Business,” from NIST, provides a useful summary of the basics and puts them in context. The FCC’s Cyber Tip Sheet is a one-page document which is worth printing out and keeping close at hand.
The material under “Responding to a Cyber Incident” is something which IT managers need to know before an incident happens. A quick response and effective remediation are easiest to achieve when a plan is already in place. Without one, the process is going to be confused and impulse-driven.
The Cybersecurity Corner site is frequently updated, so managers should check back often for new material. They should also explore the links from the partner sites for additional tools and resources.
While every business should educate itself as much as possible on cybersecurity, many just can’t find a cost-effective way to build a staff with the necessary skills. One-person IT departments can’t do everything. Fortunately, they don’t have to.
More and more small businesses, and even many not-so-small ones, have discovered that managed IT services are the best way to deal with an increasingly complex online world. Such a service provides expert support and has specialists on call when they’re needed. You share the cost with other customers, so the cost is far less than a full-time staff.
For trustworthy, expert IT services, Nashville businesses call on Kraft Technology Group. KTG will start with a risk assessment on your network and business processes, identifying existing problems and weaknesses. Then we will upgrade your security where needed, reducing your attack surface and eliminating vulnerabilities. We’ll identify any compliance requirements you need to meet and help you to get up to the standard.
Security is an ongoing process. After the initial round of assessment and enhancement, we’ll assist with software upgrades, monitoring, and reporting of any new issues. It’s a small investment when you consider that it keeps your whole business safe from ruinous data loss. You’ll be able to focus on your core business, and your customers and partners can be confident their information is well protected.
If you’re headquartered or have branch offices in or around Tennessee, talk with us to learn how we can help all the aspects of your data network. In today’s Internet, you need experts on your side.
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.