May 22, 2023 By Jonathan Reed 4 min read

For small organizations, the current cyber threat landscape is brutal. While big-name breaches steal the headlines, small businesses suffer the most from ransomware attacks. Additionally, other studies reveal that only half of all small businesses are prepared for a cyberattack. In the face of these challenges, NIST is creating a new initiative to help.

To help smaller organizations face the growing cyber threat, NIST recently launched its Small Business Cybersecurity Community of Interest (COI). Here’s how this new association can help your organization move forward with a cyber readiness plan today.

Small businesses need cybersecurity now

It’s far past time for small businesses to improve their cybersecurity. Consider the fact that nearly 30% of ransomware-impacted companies have only 11 to 100 employees, and over 72% of ransomware attacks affect businesses with less than 1,000 employees, as per Coveware.

The Small Business Cybersecurity COI will bring together a diverse group of companies, trade associations and other experts to share valuable insights, challenges and perspectives related to cybersecurity for small businesses. This collaboration aims to aid NIST in effectively addressing the security needs of small businesses by conducting research, encouraging collaboration and developing useful resources.

As per NIST, small organizations face a cybersecurity management dilemma. They either lack sufficient guidance tailored to their unique needs and capabilities or are flooded with excessive and complex information. This makes it difficult to know where to begin or what is most crucial for adequate security. As a result, small businesses, non-profits, educational institutions and government agencies may feel overwhelmed and reluctant to take action to mitigate security risks.

Through the NIST Cybersecurity COI, small companies and their representatives will have a platform to provide valuable feedback to the NIST Cybersecurity Center of Excellence (NCCoE) and NIST at large. This engagement will help the agency better understand how to serve the unique needs of small organizations. The goal is to guide efforts toward creating customized and practical resources for small businesses to overcome cybersecurity challenges while safeguarding digital assets.

Some benefits of joining the Small Business COI include:

  • Monthly or quarterly virtual meetings to share insights, give feedback and report on issues pertaining to security for small businesses
  • Access to free publications and other resources
  • Close contact with security experts and community members to seek solutions in a collaborative way.

State and local government alliances

In addition to rolling out the Small Business Cybersecurity COI, NIST is reinforcing joint efforts with state and local governments. Recently NIST, the state of Maryland and Montgomery County, Maryland, all renewed their partnership in support of the NCCoE.

Established in 2012, the NCCoE helps businesses secure their IT systems with practical solutions based on industry standards, best practices and commercially available technology. The center collaborates with researchers and technology vendors to provide guidance on industry-specific challenges such as securing healthcare data, protecting financial transactions and safeguarding critical infrastructure.

One goal of the renewed Maryland partnership agreement is to better address the needs of companies and institutions in the state and county, with a particular focus on small businesses, public schools and academic institutions. With that objective in mind, the agreement calls on the state and county governments to expand their efforts to facilitate the NCCoE’s relationships with Maryland-based companies.

Cybersecurity for small businesses

For small business cybersecurity, the NIST initiative is another important step in the right direction. But how can smaller organizations begin to take concrete action to improve their security posture now?

One place to start is the easy-to-use U.S. Small Business Administration (SBA) cybersecurity strategy guide. This guide offers information ranging from basic security concepts to more advanced features, such as cybersecurity planning tools.

The SBA’s list of measures that all businesses can take to improve their cybersecurity includes recommendations such as:

  • Create a cybersecurity plan: The FCC offers a cybersecurity planning tool to help build a custom strategy and cybersecurity plan based on unique small business needs.
  • Conduct a cyber resilience review: The DHS has partnered with CERT to create the Cyber Resilience Review (CRR). This non-technical assessment evaluates operational resilience and cybersecurity practices.
  • Conduct vulnerability scans: CISA offers a free cyber hygiene vulnerability scan for small businesses. Various scanning and testing services are available to help organizations assess exposure to threats. The goal is to secure systems by addressing known vulnerabilities and adjusting configurations.
  • Manage information communication technology (ICT) supply chain risk: The ICT Supply Chain Risk Management Toolkit can help shield business information and communications technology from supply chain attacks. Developed by CISA, this toolkit includes strategic messaging, social media, videos and resources. It’s designed to help raise awareness and reduce the impact of supply chain risks.
  • Free cybersecurity services and tools: CISA has compiled a list of free cybersecurity resources, including services provided by CISA, widely used open-source tools and free services offered by private and public sector organizations across the cybersecurity community. CISA also provides cyber guidance for small businesses.
  • Maintain DoD industry partner compliance: Federal contractors and subcontractors should use the ​Cybersecurity Maturity Model Certification (CMMC) program. Its purpose is to safeguard Controlled Unclassified Information (CUI) shared by the DoD. CMMC is a framework and assessor certification program that provides a model for contractors to meet a set of cybersecurity standards and requirements.

Small businesses must embrace security

In the old days, some organizations may have thought they were too small to be noticed by cyber criminals. But now we know this is not the case at all. Increasingly, small businesses, schools and local government offices are under attack. Threat actors know these organizations don’t have big budgets for security. However, this doesn’t mean small businesses must remain defenseless.

With initiatives like the NIST Small Business Cybersecurity COI, there are places to receive assistance. Cyber threats will be thwarted more effectively if we work together. So consider becoming a member of the Small Business Cybersecurity Community of Interest. Be an active participant in the narrative and join with others to make cyber safer.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today