The Cybersecurity for Small Business Act

The National Institute of Standards and Technology (NIST) is a physical sciences laboratory, and a non-regulatory arm of the U.S Department of commerce whose mission is to promote innovation and competitiveness by providing guidance and establishing standards and frameworks. Their work has a direct impact on a variety of industries such as nanoscale science and technology, engineering, information technology, and physical measurements. Information security professionals often reference the NIST 800 series, which is a collection of special publications that describe the United States federal government computer security policies, procedures and guidelines. As these documents are readily available, many public-sector organizations with enterprise class IT systems, have also adopted much of what is described in these publications.

Small to medium sized businesses (SMB) increasingly rely on personal computers, mobile devices, and the internet to operate more efficiently, and to reach a greater number of customers. Often these same businesses are lacking IT talent, and budget. As a result, the NIST 800 series is far too complex to leverage and is simply out of reach. Unfortunately, these limitations do not make them less desirable targets for cyber criminals. In fact, small businesses that are lacking the policies, procedures and guidelines that make up an effective security program are often considered easy targets for these criminals. Proprietors may not even know that system penetration ever occurred. The result can be theft of customer and/or employee Personal Identifiable Information (PII), or loss of Intellectual Property. For B2B vendors, it can also become the vulnerability into a larger business. Brand reputation, customer relationships, and even competitive advantage can all be at risk.

Last week, President Trump signed into law the “NIST Small Business Cybersecurity Act”. This legislation requires NIST to issue guidance and a consistent set of resources to help SMBs identify, assess and reduce their cybersecurity risks within one year of the law being signed. With our currently charged political environment, the signing of this Act may not have received the attention deserving of its potential impact. From health care to agriculture, there are over 30 million small businesses that can be found in every industry and employ nearly half of the U.S. workforce. In 2017, SMB’s contribution to the economy was nearly $8.5 trillion and made up half of the counties GDP. SMB’s are BIG business, and need to be preserved, protected, and secured.

While there is clearly a lot of business being done by SMB’s, individually they continue to lack the resources necessary to cultivate an effective cybersecurity program and remain vulnerable. This legislation is a good first step, but it will be interesting to see the deliverables produced by NIST in accordance to the law. Certainly, NIST has the intellectual capital to produce articles written for an audience containing experts in their perspective fields. Providing technical references for building cybersecurity programs for the non-technical however, can be a challenge. Remember, small business owners are busy running a business and don’t have the time, energy, or manpower to foster a large security program. As a result, NIST will most likely want to focus of providing guidance on a short list of topics that will be relatively inexpensive in both time and dollars, but still have a high impact. With that in mind, I humbly submit my personal list of “Top 5” topics that NIST might consider as part of this first step in bridging the SMB cybersecurity gap.

1. Authentication/Authorization: How many SMB’s are effectively using Role Based Access Controls (RBAC) based on good authentication guidance, instead of sharing passwords and granting elevated privileges to all?   User provisioning and appropriate system permissions can be time consuming up front but can have huge gains long term. This is also an opportunity to leverage the updated password guidance recently published by NIST which has a new focus on password complexity, the use of password safes, and inclusion of Multi-Factor Authentication (MFA).
2.  Secure the endpoint: Operating system and application patching is often overlooked, which is why many modern operating systems and applications have included automatic updates and have reevaluated their default configurations. It is important to make sure these features are functioning as designed and achieving the desired result. Things like anti-virus/malware and software firewall continues to be an important layer of protection. With an increasingly mobile workforce, VPN’s to secure WiFi traffic is only going to become more important. Remember, this also includes smart phones and tables.
3. Secure the network: Plenty of telecom companies provide small business packages bringing business class internet into the office or home. How many of those SMB’s understand the configuration of the equipment used, as well as any additional features that can be enabled? Changing default passwords, enabling encryption and firewall functionality can be important.
4. Third party risk: Even larger enterprise environments find themselves struggling with assessing and reporting on the risk introduced leveraging vendors. If you are going to trust them with your data, they should be able to tell you how they are going help protect it. With many SMB’s leveraging SaaS and PaaS cloud services, understanding how to evaluate any risk created by these services is important.
5. Security awareness: No amount of money can completely reduce risk if your employees don’t know how to identify a phishing e-email, be aware of what they download, or how to protect important data. Training and maintaining awareness is an important component of fostering a security culture within the team.

As hard as we try to create guidance to support SMB’s build an effective cybersecurity programs that are attainable, there will still be at least some financial impact. It is my hope that when NIST publishes their own far more detailed guidance, there will be additional steps taken to further encourage and assist SMB’s fill the existing security gaps. Expenses related to software licenses, training, and conducting risk assessments are always going to be impactful. Tax credits based on the guidance, could certainly help to make an effective cybersecurity program achievable by Small Businesses. This will demonstrate an incredible commitment to supporting the sustainability and longevity of a huge segment of our economy.