May 22, 2023 By Jonathan Reed 4 min read

For small organizations, the current cyber threat landscape is brutal. While big-name breaches steal the headlines, small businesses suffer the most from ransomware attacks. Additionally, other studies reveal that only half of all small businesses are prepared for a cyberattack. In the face of these challenges, NIST is creating a new initiative to help.

To help smaller organizations face the growing cyber threat, NIST recently launched its Small Business Cybersecurity Community of Interest (COI). Here’s how this new association can help your organization move forward with a cyber readiness plan today.

Small businesses need cybersecurity now

It’s far past time for small businesses to improve their cybersecurity. Consider the fact that nearly 30% of ransomware-impacted companies have only 11 to 100 employees, and over 72% of ransomware attacks affect businesses with less than 1,000 employees, as per Coveware.

The Small Business Cybersecurity COI will bring together a diverse group of companies, trade associations and other experts to share valuable insights, challenges and perspectives related to cybersecurity for small businesses. This collaboration aims to aid NIST in effectively addressing the security needs of small businesses by conducting research, encouraging collaboration and developing useful resources.

As per NIST, small organizations face a cybersecurity management dilemma. They either lack sufficient guidance tailored to their unique needs and capabilities or are flooded with excessive and complex information. This makes it difficult to know where to begin or what is most crucial for adequate security. As a result, small businesses, non-profits, educational institutions and government agencies may feel overwhelmed and reluctant to take action to mitigate security risks.

Through the NIST Cybersecurity COI, small companies and their representatives will have a platform to provide valuable feedback to the NIST Cybersecurity Center of Excellence (NCCoE) and NIST at large. This engagement will help the agency better understand how to serve the unique needs of small organizations. The goal is to guide efforts toward creating customized and practical resources for small businesses to overcome cybersecurity challenges while safeguarding digital assets.

Some benefits of joining the Small Business COI include:

  • Monthly or quarterly virtual meetings to share insights, give feedback and report on issues pertaining to security for small businesses
  • Access to free publications and other resources
  • Close contact with security experts and community members to seek solutions in a collaborative way.

State and local government alliances

In addition to rolling out the Small Business Cybersecurity COI, NIST is reinforcing joint efforts with state and local governments. Recently NIST, the state of Maryland and Montgomery County, Maryland, all renewed their partnership in support of the NCCoE.

Established in 2012, the NCCoE helps businesses secure their IT systems with practical solutions based on industry standards, best practices and commercially available technology. The center collaborates with researchers and technology vendors to provide guidance on industry-specific challenges such as securing healthcare data, protecting financial transactions and safeguarding critical infrastructure.

One goal of the renewed Maryland partnership agreement is to better address the needs of companies and institutions in the state and county, with a particular focus on small businesses, public schools and academic institutions. With that objective in mind, the agreement calls on the state and county governments to expand their efforts to facilitate the NCCoE’s relationships with Maryland-based companies.

Cybersecurity for small businesses

For small business cybersecurity, the NIST initiative is another important step in the right direction. But how can smaller organizations begin to take concrete action to improve their security posture now?

One place to start is the easy-to-use U.S. Small Business Administration (SBA) cybersecurity strategy guide. This guide offers information ranging from basic security concepts to more advanced features, such as cybersecurity planning tools.

The SBA’s list of measures that all businesses can take to improve their cybersecurity includes recommendations such as:

  • Create a cybersecurity plan: The FCC offers a cybersecurity planning tool to help build a custom strategy and cybersecurity plan based on unique small business needs.
  • Conduct a cyber resilience review: The DHS has partnered with CERT to create the Cyber Resilience Review (CRR). This non-technical assessment evaluates operational resilience and cybersecurity practices.
  • Conduct vulnerability scans: CISA offers a free cyber hygiene vulnerability scan for small businesses. Various scanning and testing services are available to help organizations assess exposure to threats. The goal is to secure systems by addressing known vulnerabilities and adjusting configurations.
  • Manage information communication technology (ICT) supply chain risk: The ICT Supply Chain Risk Management Toolkit can help shield business information and communications technology from supply chain attacks. Developed by CISA, this toolkit includes strategic messaging, social media, videos and resources. It’s designed to help raise awareness and reduce the impact of supply chain risks.
  • Free cybersecurity services and tools: CISA has compiled a list of free cybersecurity resources, including services provided by CISA, widely used open-source tools and free services offered by private and public sector organizations across the cybersecurity community. CISA also provides cyber guidance for small businesses.
  • Maintain DoD industry partner compliance: Federal contractors and subcontractors should use the ​Cybersecurity Maturity Model Certification (CMMC) program. Its purpose is to safeguard Controlled Unclassified Information (CUI) shared by the DoD. CMMC is a framework and assessor certification program that provides a model for contractors to meet a set of cybersecurity standards and requirements.

Small businesses must embrace security

In the old days, some organizations may have thought they were too small to be noticed by cyber criminals. But now we know this is not the case at all. Increasingly, small businesses, schools and local government offices are under attack. Threat actors know these organizations don’t have big budgets for security. However, this doesn’t mean small businesses must remain defenseless.

With initiatives like the NIST Small Business Cybersecurity COI, there are places to receive assistance. Cyber threats will be thwarted more effectively if we work together. So consider becoming a member of the Small Business Cybersecurity Community of Interest. Be an active participant in the narrative and join with others to make cyber safer.

More from Risk Management

Digital solidarity vs. digital sovereignty: Which side are you on?

4 min read - The landscape of international cyber policy continues to evolve rapidly, reflecting the dynamic nature of technology and global geopolitics. Central to this evolution are two competing concepts: digital solidarity and digital sovereignty.The U.S. Department of State, through its newly released International Cyberspace and Digital Policy Strategy, has articulated a clear preference for digital solidarity, positioning it as a counterpoint to the protectionist approach of digital sovereignty.What are the main differences between these two concepts, and why does it matter? Let’s…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

It all adds up: Pretexting in executive compromise

4 min read - Executives hold the keys to the corporate kingdom. If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.What is pretexting?Pretexting is the use of a fabricated story or narrative — a “pretext” — to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today