Many small-business owners are willing to do more to improve their cybersecurity but don’t know what else to do. The number of options — whether products or services to purchase or policies and processes to adopt—can be paralyzing. In addition, much of cybersecurity is more organizational than technical in nature, making the IT department unsuited or unable to tackle it alone.
So, what should a small business do?
Getting started with cybersecurity
The National Institute of Standards and Technology (NIST) published a document in October 2009 titled Small Business Information Security: The Fundamentals, (NISTIR 7621). Seven years later, this document is still a great place to start. It consists of 10 “absolutely necessary” actions, 10 highly recommended practices and additional planning considerations. Besides listing some basic controls that every business should implement, it focuses heavily on training and awareness, which I firmly believe are underappreciated today.
Recent IT security developments
A few topics that have become more relevant and accessible to small businesses since 2009 are absent from the NIST fundamentals. These include disk encryption and multifactor authentication, both of which should be part of even a basic cybersecurity program. A good next step after implementing the NIST fundamentals is to update them by ensuring that all portable media containing sensitive information are encrypted and that multifactor authentication is used for remote access wherever possible.
Adding layers of IT security controls
Once these bare basics are in place, another government tool points the way toward a more thorough, ongoing effort. The FCC’s Small Biz Cyber Planner generates a list of security controls and practices organized by topic. While it is more detailed than the NIST fundamentals overall, certain topics such as mobile devices, operational security and payment cards are worth focusing on, as they are notably absent in the NIST report.
Adopting an IT framework
In February 2014, NIST published a Cybersecurity Framework to help businesses and organizations address cybersecurity risks. The Framework Core consists of a broad listing of categories, subcategories and informative references across five cybersecurity functions — Identify, Protect, Detect, Respond and Recover. Fortunately for small businesses, adopting the framework does not consist of wholesale adoption of the core but of comparing current practices to the Framework Core while taking business requirements into account to identify gaps between cybersecurity actual results and goals. Furthermore, while the framework identifies four Framework Implementation Tiers of increasing sophistication, it is explicitly left to an organization to decide which of Tiers 2-4 is best for its needs (although those in Tier 1 should take action to improve).
In short, while the NIST Cybersecurity Framework is a comprehensive and detailed approach to cybersecurity, it is flexible enough to be useful for those small businesses that are willing to put forth the effort to be methodical in managing cybersecurity risk at an organizational level.
Locking down IT services
Finally, a publication by the nonprofit Center for Internet Security called the CIS Critical Security Controls for Effective Cyber Defense consists of 20 prioritized sets of actions that organizations can take to harden their cyber defenses. While complete adoption of all of the controls is unlikely to be achievable for most small businesses in the immediate future, they serve well as a technical reference and a window into what enterprise level cybersecurity looks like.