Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

11/17/2016
03:10 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NIST Releases Version of Cybersecurity Framework for Small Businesses

Researchers offer a step-by-step approach for covering the basics of cybersecurity.

NIST has been working closely with the Small Business Administration on cybersecurity issues for small business since 2003.

Now, as a follow-up to years of collaboration, NIST recently released a streamlined version of its Cybersecurity Framework geared to small businesses owners. 

Released earlier this month, Small Business Information Security: The Fundamentals, runs 54 pages and offers small businesses a snapshot of the core concepts of the framework, which include the following: identify, protect, detect, respond and recover.

Patricia Toth, a supervisory computer scientist and co-author of the report with Celia Paulsen, says the guide came out of numerous workshops NIST held in tandem with the SBA over the past several years.

“We wanted to get some of the main points of the Cybersecurity Framework to the small business audience, but realized that the average small business owner wouldn’t want to pour through the entire framework,” Toth points out.

Frank Dickson, an analyst with IDC who covers security, says the streamlined document NIST put together for small businesspeople does a good job covering the basics of security.

“The only point I would add is that the document stresses strong passwords and while that’s good cyber hygiene, I’d like to see people look more toward stronger authentication,” Dickson says.

Toth adds while stronger authentication makes sense for more mature organizations, the average small business is generally just starting to think about stronger security, so they decided to get people focused on stronger passwords.

Even though it’s streamlined at 54 pages, small business owners may still not know where or how to get started security. Here’s a thumbnail that outlines six steps: 

  1. Manage risk. Small business owners should start by asking what information is most important to the business and what’s essential for them to protect. For example, if a marketing booklet gets leaked it’s probably not as sensitive as if a customer list was exposed.
  2. Train the staff. Run a lunchtime seminar on how to identify phishing attacks and how to notify suspicious email and report it to the owner. It’s also important for the staff to be aware of the company’s policies on using Facebook, YouTube videos or general Internet browsing time. If there are no policies, then make your wishes known to the staff.   
  3. Stay up to date.  Keep in mind there are small businesses with close to 100 employees and those with under 10. For the companies with under 10 employees, they may have a tech person who comes to set up the network, but they don’t always have that person handle software updates and patches. We understand there’s a lot going on at your company and you are focused on sales, but don’t let updates and patches sift through the cracks. Automate as much as possible, but try to do the updates when they come out.  
  4. Run backups routinely. So many small businesses don’t do this and with ransomware as much as a threat as it is today, running offsite backups has become more important than ever. Decide if backups need to be run once a day or once a week, but once a month won’t keep your company safe.   
  5. Investigate cyber insurance. Cyber insurance may or may not be worth it to your company. However, it makes sense to talk to some insurance brokers and see where you stand. Whatever you do, don’t call about cyber insurance without having your security program in place. The rates you pay and how much cyber insurance your company qualifies for will be based on your overall security posture. A ratings system has been evolving and has not been standardized yet, and be prepared to do some homework before asking a broker about cyber insurance.
  6. Seek out a professional IT company. Even larger small businesses tend to have an IT person or outsourced contractor who comes in and sets up and manages the network. Use business contacts or your trade association to find out technology companies with experience running network security, preferably in your industry if possible. These companies can set up individual password accounts, secure the routers, install firewalls and web filters and explain how the system runs to the owner or the owner’s designated in-house tech person. Too many companies try to go it alone and then complain about spending money on a professional IT company. Don’t be that company. One breach of a prized customer list or sales results that get into the wrong hands and it could cost you your business. Working with professional IT people is well worth the expense, especially in this threat landscape. 

Related Content:

 

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26120
PUBLISHED: 2020-09-27
XSS exists in the MobileFrontend extension for MediaWiki before 1.34.4 because section.line is mishandled during regex section line replacement from PageGateway. Using crafted HTML, an attacker can elicit an XSS attack via jQuery's parseHTML method, which can cause image callbacks to fire even witho...
CVE-2020-26121
PUBLISHED: 2020-09-27
An issue was discovered in the FileImporter extension for MediaWiki before 1.34.4. An attacker can import a file even when the target page is protected against "page creation" and the attacker should not be able to create it. This occurs because of a mishandled distinction between an uploa...
CVE-2020-25812
PUBLISHED: 2020-09-27
An issue was discovered in MediaWiki 1.34.x before 1.34.4. On Special:Contributions, the NS filter uses unescaped messages as keys in the option key for an HTMLForm specifier. This is vulnerable to a mild XSS if one of those messages is changed to include raw HTML.
CVE-2020-25813
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, Special:UserRights exposes the existence of hidden users.
CVE-2020-25814
PUBLISHED: 2020-09-27
In MediaWiki before 1.31.10 and 1.32.x through 1.34.x before 1.34.4, XSS related to jQuery can occur. The attacker creates a message with [javascript:payload xss] and turns it into a jQuery object with mw.message().parse(). The expected result is that the jQuery object does not contain an <a> ...