NIST Small Business Cybersecurity Act wasn’t born out-of-the-blue… small and medium-sized businesses have been a focal point in recent discussions about cybersecurity, and for good reason:
- More than half of the data breach victims referenced in Verizon’s Data Breach Investigations Report 2017 were companies with 1,000 or fewer employees.
- According to recent research cited by DarkReading, one-third of SMBs offer no form of cybersecurity training to employees.
- New analysis from Aberdeen Group found that SMBs are 63 percent more likely to experience a data breach than enterprises.
As large enterprises become increasingly dedicated to information security, hackers are going after what they perceive to be the easiest targets: SMBs. This is especially problematic in light of a notable shortage of cybersecurity talent, which has made it more difficult for modestly sized organizations to attract and retain the skills they need to defend themselves, let alone afford the necessary technology resources. To address these issues, the U.S. House Committee on Science, Space, and Technology created the NIST Small Business Cybersecurity Act last month, which will provide SMBs with resources to protect themselves more effectively in the current cyberthreat landscape.
A national prerogative
According to the House Committee, SMBs account for 54 percent of U.S. sales and 55 percent of U.S. jobs. Alarmingly, 60 percent of these businesses close their doors within six months of experiencing a cyberattack.
While the clout SMBs hold in American commerce makes them worth protecting, it’s also worth mentioning that an increasingly interconnected digital business landscape is raising the stakes for everyone. Simply put, an infiltration of one business can quickly become an intrusion into another. Perhaps the most famous example of this occurred in 2013 when Target was breached after its HVAC contractor was compromised, resulting in the theft of payment card information belonging to 40 million customers. All told, the breach cost Target about $290 million.
As significant as those losses are, Target, unlike so many SMBs that have been shuttered in the wake of a breach, is still here. For SMBs, when it rains, it pours because the damage caused by a single, serious breach is irreparable.
As of this writing, the NIST Small Business Cybersecurity Act is in the early phases. However, its long-term purpose is to establish a set of voluntary guidelines that can help small businesses reduce undue risk where possible and more effectively mitigate unavoidable risk.How NIST helps
Specifically, NIST will provide the informational resources many SMBs need to “identify, assess, manage, and reduce their cybersecurity risks.” Guidance and resources will be supplied by federal agencies following their solicitation from the NIST director.
Relative to other cybersecurity initiatives – e.g. New York’s recent regulation for financial institutions – NIST has a light touch. While it doesn’t impose mandatory provisions on small businesses, it will hopefully provide SMBs that are trying to improve information security operations with some much-needed resources.
What can you do now?
“SMB respondents said they’re open to cybersecurity training.”
We can expect the implementation of NIST to take at least one year, but SMBs shouldn’t sit on their hands in the meantime. First and foremost, the aforementioned fact that one-third of small businesses lack any sort of security program is highly concerning, though hardly irremediable; nearly half of all SMB respondents said they’re open to cybersecurity training, even if it were only voluntary.
For instance, making the lines of business aware of how to spot and react to phishing scams can drastically reduce the likelihood of email-related malware intrusions and credentials thefts. It may not sound like much, but according to PhishMe, 91 percent of cyberattacks start as phishing attacks. In this case, a small push goes a long way.
Beyond general awareness, SMBs should seek to affordably revamp security posture in a way that goes deeper than off-the-shelf software and reliance on MSSPs.