May 22, 2023 By Jonathan Reed 4 min read

For small organizations, the current cyber threat landscape is brutal. While big-name breaches steal the headlines, small businesses suffer the most from ransomware attacks. Additionally, other studies reveal that only half of all small businesses are prepared for a cyberattack. In the face of these challenges, NIST is creating a new initiative to help.

To help smaller organizations face the growing cyber threat, NIST recently launched its Small Business Cybersecurity Community of Interest (COI). Here’s how this new association can help your organization move forward with a cyber readiness plan today.

Small businesses need cybersecurity now

It’s far past time for small businesses to improve their cybersecurity. Consider the fact that nearly 30% of ransomware-impacted companies have only 11 to 100 employees, and over 72% of ransomware attacks affect businesses with less than 1,000 employees, as per Coveware.

The Small Business Cybersecurity COI will bring together a diverse group of companies, trade associations and other experts to share valuable insights, challenges and perspectives related to cybersecurity for small businesses. This collaboration aims to aid NIST in effectively addressing the security needs of small businesses by conducting research, encouraging collaboration and developing useful resources.

As per NIST, small organizations face a cybersecurity management dilemma. They either lack sufficient guidance tailored to their unique needs and capabilities or are flooded with excessive and complex information. This makes it difficult to know where to begin or what is most crucial for adequate security. As a result, small businesses, non-profits, educational institutions and government agencies may feel overwhelmed and reluctant to take action to mitigate security risks.

Through the NIST Cybersecurity COI, small companies and their representatives will have a platform to provide valuable feedback to the NIST Cybersecurity Center of Excellence (NCCoE) and NIST at large. This engagement will help the agency better understand how to serve the unique needs of small organizations. The goal is to guide efforts toward creating customized and practical resources for small businesses to overcome cybersecurity challenges while safeguarding digital assets.

Some benefits of joining the Small Business COI include:

  • Monthly or quarterly virtual meetings to share insights, give feedback and report on issues pertaining to security for small businesses
  • Access to free publications and other resources
  • Close contact with security experts and community members to seek solutions in a collaborative way.

State and local government alliances

In addition to rolling out the Small Business Cybersecurity COI, NIST is reinforcing joint efforts with state and local governments. Recently NIST, the state of Maryland and Montgomery County, Maryland, all renewed their partnership in support of the NCCoE.

Established in 2012, the NCCoE helps businesses secure their IT systems with practical solutions based on industry standards, best practices and commercially available technology. The center collaborates with researchers and technology vendors to provide guidance on industry-specific challenges such as securing healthcare data, protecting financial transactions and safeguarding critical infrastructure.

One goal of the renewed Maryland partnership agreement is to better address the needs of companies and institutions in the state and county, with a particular focus on small businesses, public schools and academic institutions. With that objective in mind, the agreement calls on the state and county governments to expand their efforts to facilitate the NCCoE’s relationships with Maryland-based companies.

Cybersecurity for small businesses

For small business cybersecurity, the NIST initiative is another important step in the right direction. But how can smaller organizations begin to take concrete action to improve their security posture now?

One place to start is the easy-to-use U.S. Small Business Administration (SBA) cybersecurity strategy guide. This guide offers information ranging from basic security concepts to more advanced features, such as cybersecurity planning tools.

The SBA’s list of measures that all businesses can take to improve their cybersecurity includes recommendations such as:

  • Create a cybersecurity plan: The FCC offers a cybersecurity planning tool to help build a custom strategy and cybersecurity plan based on unique small business needs.
  • Conduct a cyber resilience review: The DHS has partnered with CERT to create the Cyber Resilience Review (CRR). This non-technical assessment evaluates operational resilience and cybersecurity practices.
  • Conduct vulnerability scans: CISA offers a free cyber hygiene vulnerability scan for small businesses. Various scanning and testing services are available to help organizations assess exposure to threats. The goal is to secure systems by addressing known vulnerabilities and adjusting configurations.
  • Manage information communication technology (ICT) supply chain risk: The ICT Supply Chain Risk Management Toolkit can help shield business information and communications technology from supply chain attacks. Developed by CISA, this toolkit includes strategic messaging, social media, videos and resources. It’s designed to help raise awareness and reduce the impact of supply chain risks.
  • Free cybersecurity services and tools: CISA has compiled a list of free cybersecurity resources, including services provided by CISA, widely used open-source tools and free services offered by private and public sector organizations across the cybersecurity community. CISA also provides cyber guidance for small businesses.
  • Maintain DoD industry partner compliance: Federal contractors and subcontractors should use the ​Cybersecurity Maturity Model Certification (CMMC) program. Its purpose is to safeguard Controlled Unclassified Information (CUI) shared by the DoD. CMMC is a framework and assessor certification program that provides a model for contractors to meet a set of cybersecurity standards and requirements.

Small businesses must embrace security

In the old days, some organizations may have thought they were too small to be noticed by cyber criminals. But now we know this is not the case at all. Increasingly, small businesses, schools and local government offices are under attack. Threat actors know these organizations don’t have big budgets for security. However, this doesn’t mean small businesses must remain defenseless.

With initiatives like the NIST Small Business Cybersecurity COI, there are places to receive assistance. Cyber threats will be thwarted more effectively if we work together. So consider becoming a member of the Small Business Cybersecurity Community of Interest. Be an active participant in the narrative and join with others to make cyber safer.

More from Risk Management

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today