May 22, 2023 By Jonathan Reed 4 min read

For small organizations, the current cyber threat landscape is brutal. While big-name breaches steal the headlines, small businesses suffer the most from ransomware attacks. Additionally, other studies reveal that only half of all small businesses are prepared for a cyberattack. In the face of these challenges, NIST is creating a new initiative to help.

To help smaller organizations face the growing cyber threat, NIST recently launched its Small Business Cybersecurity Community of Interest (COI). Here’s how this new association can help your organization move forward with a cyber readiness plan today.

Small businesses need cybersecurity now

It’s far past time for small businesses to improve their cybersecurity. Consider the fact that nearly 30% of ransomware-impacted companies have only 11 to 100 employees, and over 72% of ransomware attacks affect businesses with less than 1,000 employees, as per Coveware.

The Small Business Cybersecurity COI will bring together a diverse group of companies, trade associations and other experts to share valuable insights, challenges and perspectives related to cybersecurity for small businesses. This collaboration aims to aid NIST in effectively addressing the security needs of small businesses by conducting research, encouraging collaboration and developing useful resources.

As per NIST, small organizations face a cybersecurity management dilemma. They either lack sufficient guidance tailored to their unique needs and capabilities or are flooded with excessive and complex information. This makes it difficult to know where to begin or what is most crucial for adequate security. As a result, small businesses, non-profits, educational institutions and government agencies may feel overwhelmed and reluctant to take action to mitigate security risks.

Through the NIST Cybersecurity COI, small companies and their representatives will have a platform to provide valuable feedback to the NIST Cybersecurity Center of Excellence (NCCoE) and NIST at large. This engagement will help the agency better understand how to serve the unique needs of small organizations. The goal is to guide efforts toward creating customized and practical resources for small businesses to overcome cybersecurity challenges while safeguarding digital assets.

Some benefits of joining the Small Business COI include:

  • Monthly or quarterly virtual meetings to share insights, give feedback and report on issues pertaining to security for small businesses
  • Access to free publications and other resources
  • Close contact with security experts and community members to seek solutions in a collaborative way.

State and local government alliances

In addition to rolling out the Small Business Cybersecurity COI, NIST is reinforcing joint efforts with state and local governments. Recently NIST, the state of Maryland and Montgomery County, Maryland, all renewed their partnership in support of the NCCoE.

Established in 2012, the NCCoE helps businesses secure their IT systems with practical solutions based on industry standards, best practices and commercially available technology. The center collaborates with researchers and technology vendors to provide guidance on industry-specific challenges such as securing healthcare data, protecting financial transactions and safeguarding critical infrastructure.

One goal of the renewed Maryland partnership agreement is to better address the needs of companies and institutions in the state and county, with a particular focus on small businesses, public schools and academic institutions. With that objective in mind, the agreement calls on the state and county governments to expand their efforts to facilitate the NCCoE’s relationships with Maryland-based companies.

Cybersecurity for small businesses

For small business cybersecurity, the NIST initiative is another important step in the right direction. But how can smaller organizations begin to take concrete action to improve their security posture now?

One place to start is the easy-to-use U.S. Small Business Administration (SBA) cybersecurity strategy guide. This guide offers information ranging from basic security concepts to more advanced features, such as cybersecurity planning tools.

The SBA’s list of measures that all businesses can take to improve their cybersecurity includes recommendations such as:

  • Create a cybersecurity plan: The FCC offers a cybersecurity planning tool to help build a custom strategy and cybersecurity plan based on unique small business needs.
  • Conduct a cyber resilience review: The DHS has partnered with CERT to create the Cyber Resilience Review (CRR). This non-technical assessment evaluates operational resilience and cybersecurity practices.
  • Conduct vulnerability scans: CISA offers a free cyber hygiene vulnerability scan for small businesses. Various scanning and testing services are available to help organizations assess exposure to threats. The goal is to secure systems by addressing known vulnerabilities and adjusting configurations.
  • Manage information communication technology (ICT) supply chain risk: The ICT Supply Chain Risk Management Toolkit can help shield business information and communications technology from supply chain attacks. Developed by CISA, this toolkit includes strategic messaging, social media, videos and resources. It’s designed to help raise awareness and reduce the impact of supply chain risks.
  • Free cybersecurity services and tools: CISA has compiled a list of free cybersecurity resources, including services provided by CISA, widely used open-source tools and free services offered by private and public sector organizations across the cybersecurity community. CISA also provides cyber guidance for small businesses.
  • Maintain DoD industry partner compliance: Federal contractors and subcontractors should use the ​Cybersecurity Maturity Model Certification (CMMC) program. Its purpose is to safeguard Controlled Unclassified Information (CUI) shared by the DoD. CMMC is a framework and assessor certification program that provides a model for contractors to meet a set of cybersecurity standards and requirements.

Small businesses must embrace security

In the old days, some organizations may have thought they were too small to be noticed by cyber criminals. But now we know this is not the case at all. Increasingly, small businesses, schools and local government offices are under attack. Threat actors know these organizations don’t have big budgets for security. However, this doesn’t mean small businesses must remain defenseless.

With initiatives like the NIST Small Business Cybersecurity COI, there are places to receive assistance. Cyber threats will be thwarted more effectively if we work together. So consider becoming a member of the Small Business Cybersecurity Community of Interest. Be an active participant in the narrative and join with others to make cyber safer.

More from Risk Management

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today