Earlier this month, the National Institute of Standards & Technology (NIST) Small Business Cybersecurity Act became law. There are a few important things you should know about these new guidelines.
Designed for small and medium-sized businesses, this law requires NIST to – within the next year – release a collection of informational resources that will help organizations identify, assess, and reduce their cybersecurity risks.
Although NIST is required to create these recommendations, small and medium-sized businesses aren’t required to follow them. Applying the recommendations is voluntary – but will likely offer a good place to start as you form your own cybersecurity plan.
Why an NIST Framework for Small Businesses?
NIST already offers a Cybersecurity Framework that outlines cybersecurity standards, guidelines, and practices enterprises can use to protect their critical infrastructure; however, most small organizations find this NIST framework to be too expensive and difficult to implement.
The new Small Business Cybersecurity Act specifically targets small and medium-sized businesses for a few reasons:
- Budgets may be smaller in these organizations, making it more difficult to deploy the right types of layered cybersecurity solutions.
- Smaller in-house teams may find it challenging to juggle the ever-changing world of cybersecurity.
- Smaller companies tend to not invest as heavily in cybersecurity. According to a 2017 survey by Manta, only 69% of small businesses have any cybersecurity controls in place (almost one out of every three small businesses has nothing in place).
It can be awfully tempting for a small business to ignore cybersecurity altogether. After all, the events that make the news involve large, well-known organizations. But bad actors know this tendency for small businesses to be a little lax about cybersecurity – which is one of the things that makes smaller businesses enticing.
According to the 2017 State of Cybersecurity in Small & Medium-Sized Businesses report from Ponemon Institute, 61% of small businesses experienced a cyberattack in 2017 (up from 55% in 2016). And KnowBe4 reports that 57% of small and medium-sized businesses report an increase in attack volume over the past 12 months.
What the New NIST Framework Covers
Per the Small Business Cybersecurity Act, the guidelines in this new NIST framework must:
- Apply to many types of small and medium-sized businesses
- Be easy to follow and affordable to implement
- Promote workplace cybersecurity awareness
- Provide practical, technology-neutral strategies
- Include case studies of practical application
- Help businesses make cybersecurity best practices a required component of corporate culture
- Be consistent with international standards and the Stevenson-Wydler Technology Innovation Act of 1980
We anticipate that the guidelines will offer information to small businesses on things like:
- How to train staff to recognize and report potential phishing activities
- Best practices for passwords and password management
- Tips on protecting data when transferring it outside business walls
As the NIST Small Business Cybersecurity Act guidelines are rolled out over the next year, we’ll keep you updated on what they recommend.
In the meantime, if you have any questions about these guidelines, how they might impact you, or how you can integrate them into our own cybersecurity plan, don’t hesitate to send me a note – I’m here to answer your questions.