We read too many stories today about data breaches involving millions of data records and ransomware attacks that bring down large corporate conglomerates for days. It is important to remember, however, that while attacks on giant organizations grab the headlines, small and medium-sized businesses (SMBs) are also targeted by cybercriminals, and those cyberattacks can have more devastating consequences. The adage that “bullies thrive where authority is weak” certainly applies to cybersecurity.
This fact is illustrated in the annual Cost of a Data Breach Report from IBM Security, which finds that the average cost of a data breach for businesses with fewer than 500 employees reached $3.31 million in 2023, an annual increase of 13.4%, while the average cost for organizations with more than 10,001 employees decreased during the same time period. Moreover, the impact of cyberattacks differs based on organization size: While large cap companies have the resources to recover from the most powerful attacks, a single well-placed strike can prove fatal for a small business.
The vulnerability of SMBs to cyberattacks has not gone unnoticed by governments across the world. In the U.S., small businesses are invaluable to the national economy, as they create more than 60% of new jobs here and account for 44% of U.S. economic activity. Accordingly, significant efforts are being made to help these organizations tackle the challenge of cyberattacks. In particular, the US National Institute of Standards and Technology (NIST) has developed a security framework that provides small businesses with cost-effective guidance in strengthening their cyber resilience.
A Silver Lining for SMBs Regarding Cybersecurity
According to Verizon’s 2022 Data Breach Investigations Report, “Very small organizations are just as enticing to criminals as large ones, and, in certain ways, maybe even more so.” However, while attacks on large corporations are typically complex and well-orchestrated, attacks on SMBs often involve cybercriminals simply seizing opportunities. It’s more akin to trying the doors of vehicles parked in the driveways of a large neighborhood than a sophisticated auto theft ring.
Ironically, that is good news, since defending against these opportunistic attacks doesn’t necessarily require elaborate and expensive security strategies. Instead, the prescription calls for a combination of practical, cost-effective measures that are easy to implement yet highly effective.
Clear and Effective Guidance for SMBs
Even better, there is a handbook available that can guide a small business through the process of strengthening its defenses in a way that doesn’t require a technical degree. The NIST Cybersecurity Framework (CSF) 2.0: Small Business Quick Start Guide is designed specifically for SMBs. Unlike other security guides, this one acknowledges that small businesses have limited resources for cybersecurity protection, so it is designed to be easily understood and implemented by small business owners or executives without the need for costly cybersecurity experts.
This easy-to-read document is organized around the six high-level functions in the NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond and Recover. For each function, it outlines the key assessment measures and priorities. For example, here are some of the recommended actions:
- Assess the potential impact of a total or partial loss of critical business assets and operations.
- Inventory and classify your business data.
- Prioritize changing default manufacturer passwords.
- Engage a service provider to monitor computers and networks for suspicious activity if you don’t have the resources to do it internally.
- Communicate a confirmed cybersecurity incident with all internal and external stakeholders.
- Prioritize your recovery actions based on organizational needs, resources and assets impacted.
Benefits beyond Cybersecurity
Designed to be applicable to organizations of all sizes and sectors, the NIST CSF is a versatile tool for any business looking to improve cybersecurity and cyber resilience. In addition, implementing this framework offers many other benefits, including the following:
- Business strategy integration — The NIST CSF emphasizes the importance of aligning cybersecurity initiatives with business objectives, which helps ensure that IT efforts support the organization’s overall goals.
- Stronger relationships — Implementing the CSF demonstrates a strong commitment to cybersecurity, which can enhance trust among customers, partners and investors.
- Reduced insurance premiums — Some insurance providers offer discounts to businesses that can demonstrate robust cybersecurity practices. In fact, core security controls like those outlined in the NIST CSF are increasingly required to qualify for a policy at all.
- Regulatory alignment — The NIST Cybersecurity Framework offers practical guidelines to help organizations systematically identify, assess and mitigate cybersecurity risks as mandated by regulations like CCPA, HIPAA and SOX.
Conclusion
The renowned artist Pablo Picasso once said, “Action is the foundational key to all success.” In today’s threat landscape, it is essential to take proactive actions against cyberattacks across all the functions of the NIST CSF, from strong governance and prevention controls to timely detection, response and recovery measures.
Small and medium-sized businesses in particular have a duty of care to implement reasonable security measures. While SMBs don’t have the same budgets or internal expertise as their corporate counterparts, they also face less complexity in the types of attacks they encounter. Accordingly, by implementing the practical, proven strategies offered in the NIST CSF quick-start guide, they can dramatically improve their security and cyber resilience, thereby reducing the risk that a cyberattack will shutter their business.
Ilia Sotnikov is Security Strategist & Vice President of User Experience at Netwrix. He has over 20 years of experience in cybersecurity as well as IT management experience during his time at Netwrix, Quest Software, and Dell. In addition, Ilia is a regular contributor at Forbes Tech Council where he shares his knowledge and insights regarding cyber threats and security best practices with the broader IT and business community.
Cybersecurity stock image by Harsamadu/Shutterstock
