Small businesses may think they won’t become victims of a cyberattack, but odds are they will. In fact, 43 percent of cyberattacks specifically targeted small businesses in 2015, up from just 18 percent in 2011. That’s because many small businesses store sensitive information but aren’t taking adequate steps to protect it, making them easy prey for hackers. They may also serve as a conduit to larger organizations through payment portals and supply chain systems.
Many smaller organizations tend to believe that cybersecurity is complex and expensive, so they fail to take even basic steps to protect their information systems. In addition, few small businesses have the expertise in-house to design and implement a cybersecurity strategy. The stakes are extremely high, however. According to the National Cyber Security Alliance, 60 percent of small companies close down within the six months following a cyberattack.
To address these gaps, the National Institute for Standards and Technology (NIST) has published a new guide that explains ways that smaller organizations can enhance their security posture. Entitled “Small Business Information Security: The Fundamentals,” the new publication is written for small business owners who are not experienced in cybersecurity. Its simple language allows organizations to better communicate about security, and its overall design helps them identify, assess and manage risks.
The guide is based upon NIST’s Framework for Improving Critical Infrastructure Cybersecurity, which was issued in 2014 as part of efforts to protect the nation’s critical infrastructure. The framework’s processes and tools provide key standards and best practices developed over decades by the federal government and industry.
Because improved security begins with an understanding of vulnerabilities, the guide walks users through a simple risk assessment. Worksheets help organizations identify the information they store and use, determine its value, and evaluate the risk to the business and customers if its confidentiality, integrity or availability were compromised.
Once they have prioritized their cybersecurity efforts, organizations can begin implementing best practices for protecting sensitive data. The new guide describes how to:
- create policies and procedures for information security
- limit employee access to information
- encrypt data
- install web and email filters
- patch or update operating systems and applications
- train employees about information security
Other recommendations may require new equipment, and the guide can help businesses perform cost/benefit analyses.
Because a cybersecurity incident may occur despite these efforts, the publication offers guidance on detecting, responding to and recovering from an attack. It also suggests ways to find reputable cybersecurity contractors, and recommends that small businesses consider purchasing cybersecurity insurance.
The Atlantic-IT.net security team suggests that small business owners read the NIST publication and use its guidelines and worksheets as a starting point for developing a cybersecurity plan. When you’re ready to take the next step, we invite you to call us for a confidential consultation. As your outsourced IT department, Atlantic-IT.net stands ready to help you implement cost-effective solutions to safeguard your sensitive systems and data.