The National Institute of Standards and Technology (NIST) released guidance today designed to help small businesses improve their cybersecurity preparedness.  The document, Small Business Information Security: The Fundamentals, is based on NIST’s 2014 Framework for Improving Critical Infrastructure Cybersecurity, a widely used cybersecurity framework (Cybersecurity Framework).  For additional background on the Cybersecurity Framework, please see our prior post on the subject. 

According to NIST’s press release, the guidance is “written for small-business owners not experienced in cybersecurity and explains the basic steps they can take to better protect their information systems.”  The guidance notes that small businesses are often viewed as soft targets by cyber criminals because they have fewer resources to devote to information security than larger organizations.  For purposes of this guidance, NIST defines small businesses as for-profit, non-profit, and similar organizations with up to 500 employees; however, this guidance provides an overview of information security and cybersecurity along with key recommendations that are generally applicable to all businesses regardless of size.

The guidance is divided into four sections and appendices.  The first section provides background on information security and cybersecurity and provides context for the additional sections.  The second section provides recommendations on how to identify, understand, and manage certain cyber-related risks and outlines when it is appropriate to seek outside assistance.  The third section sets forth programmatic steps that small businesses can take to develop or improve their cybersecurity maturity using the Cybersecurity Framework’s broad categories: Identify, Protect, Detect, Respond, and Recover.

The fourth section provides a list of “recommended practices” that small businesses can immediately implement to better protect their systems and information.  These practices include the following:

  • Pay attention to the people you work with and around.
  • Be careful of email attachments and web links.
  • Use separate personal and business computers, mobile devices, and accounts.
  • Do not connect personal or untrusted storage devices or hardware to your computer, mobile device, or network.
  • Be careful downloading software.
  • Do not give out personal or business information.
  • Watch for harmful pop-ups.
  • Use strong passwords.
  • Conduct online business more securely.

Lastly, the appendices contain helpful information security resources for small businesses, including risk analysis worksheets and sample information security policy and procedure statements.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.