May 22, 2023 By Jonathan Reed 4 min read

For small organizations, the current cyber threat landscape is brutal. While big-name breaches steal the headlines, small businesses suffer the most from ransomware attacks. Additionally, other studies reveal that only half of all small businesses are prepared for a cyberattack. In the face of these challenges, NIST is creating a new initiative to help.

To help smaller organizations face the growing cyber threat, NIST recently launched its Small Business Cybersecurity Community of Interest (COI). Here’s how this new association can help your organization move forward with a cyber readiness plan today.

Small businesses need cybersecurity now

It’s far past time for small businesses to improve their cybersecurity. Consider the fact that nearly 30% of ransomware-impacted companies have only 11 to 100 employees, and over 72% of ransomware attacks affect businesses with less than 1,000 employees, as per Coveware.

The Small Business Cybersecurity COI will bring together a diverse group of companies, trade associations and other experts to share valuable insights, challenges and perspectives related to cybersecurity for small businesses. This collaboration aims to aid NIST in effectively addressing the security needs of small businesses by conducting research, encouraging collaboration and developing useful resources.

As per NIST, small organizations face a cybersecurity management dilemma. They either lack sufficient guidance tailored to their unique needs and capabilities or are flooded with excessive and complex information. This makes it difficult to know where to begin or what is most crucial for adequate security. As a result, small businesses, non-profits, educational institutions and government agencies may feel overwhelmed and reluctant to take action to mitigate security risks.

Through the NIST Cybersecurity COI, small companies and their representatives will have a platform to provide valuable feedback to the NIST Cybersecurity Center of Excellence (NCCoE) and NIST at large. This engagement will help the agency better understand how to serve the unique needs of small organizations. The goal is to guide efforts toward creating customized and practical resources for small businesses to overcome cybersecurity challenges while safeguarding digital assets.

Some benefits of joining the Small Business COI include:

  • Monthly or quarterly virtual meetings to share insights, give feedback and report on issues pertaining to security for small businesses
  • Access to free publications and other resources
  • Close contact with security experts and community members to seek solutions in a collaborative way.

State and local government alliances

In addition to rolling out the Small Business Cybersecurity COI, NIST is reinforcing joint efforts with state and local governments. Recently NIST, the state of Maryland and Montgomery County, Maryland, all renewed their partnership in support of the NCCoE.

Established in 2012, the NCCoE helps businesses secure their IT systems with practical solutions based on industry standards, best practices and commercially available technology. The center collaborates with researchers and technology vendors to provide guidance on industry-specific challenges such as securing healthcare data, protecting financial transactions and safeguarding critical infrastructure.

One goal of the renewed Maryland partnership agreement is to better address the needs of companies and institutions in the state and county, with a particular focus on small businesses, public schools and academic institutions. With that objective in mind, the agreement calls on the state and county governments to expand their efforts to facilitate the NCCoE’s relationships with Maryland-based companies.

Cybersecurity for small businesses

For small business cybersecurity, the NIST initiative is another important step in the right direction. But how can smaller organizations begin to take concrete action to improve their security posture now?

One place to start is the easy-to-use U.S. Small Business Administration (SBA) cybersecurity strategy guide. This guide offers information ranging from basic security concepts to more advanced features, such as cybersecurity planning tools.

The SBA’s list of measures that all businesses can take to improve their cybersecurity includes recommendations such as:

  • Create a cybersecurity plan: The FCC offers a cybersecurity planning tool to help build a custom strategy and cybersecurity plan based on unique small business needs.
  • Conduct a cyber resilience review: The DHS has partnered with CERT to create the Cyber Resilience Review (CRR). This non-technical assessment evaluates operational resilience and cybersecurity practices.
  • Conduct vulnerability scans: CISA offers a free cyber hygiene vulnerability scan for small businesses. Various scanning and testing services are available to help organizations assess exposure to threats. The goal is to secure systems by addressing known vulnerabilities and adjusting configurations.
  • Manage information communication technology (ICT) supply chain risk: The ICT Supply Chain Risk Management Toolkit can help shield business information and communications technology from supply chain attacks. Developed by CISA, this toolkit includes strategic messaging, social media, videos and resources. It’s designed to help raise awareness and reduce the impact of supply chain risks.
  • Free cybersecurity services and tools: CISA has compiled a list of free cybersecurity resources, including services provided by CISA, widely used open-source tools and free services offered by private and public sector organizations across the cybersecurity community. CISA also provides cyber guidance for small businesses.
  • Maintain DoD industry partner compliance: Federal contractors and subcontractors should use the ​Cybersecurity Maturity Model Certification (CMMC) program. Its purpose is to safeguard Controlled Unclassified Information (CUI) shared by the DoD. CMMC is a framework and assessor certification program that provides a model for contractors to meet a set of cybersecurity standards and requirements.

Small businesses must embrace security

In the old days, some organizations may have thought they were too small to be noticed by cyber criminals. But now we know this is not the case at all. Increasingly, small businesses, schools and local government offices are under attack. Threat actors know these organizations don’t have big budgets for security. However, this doesn’t mean small businesses must remain defenseless.

With initiatives like the NIST Small Business Cybersecurity COI, there are places to receive assistance. Cyber threats will be thwarted more effectively if we work together. So consider becoming a member of the Small Business Cybersecurity Community of Interest. Be an active participant in the narrative and join with others to make cyber safer.

More from Risk Management

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

How I got started: Ransomware negotiator

4 min read - Specialized roles in cybersecurity are proliferating, which isn’t surprising given the evolving threat landscape and the devastating impact of ransomware on many businesses.Among these roles, ransomware negotiators are becoming more and more crucial. These negotiators operate on the front lines of cyber defense, engaging directly with cyber criminals to mitigate the impact of ransomware attacks on organizations.Ransomware negotiators possess a unique blend of technical expertise, psychological insight and negotiation skills that allow them to navigate the high-stakes environment of ransomware…

The UK energy sector faces an expanding OT threat landscape

3 min read - Critical infrastructure is under attack in almost every country, but especially in the United Kingdom. The UK was the most attacked country in Europe, which is already the region most impacted by cyber incidents. The energy industry is taking the brunt of those cyberattacks, according to IBM’s X-Force Threat Intelligence Index 2024.The energy sector is a favorite target for threat actors. The complexity of systems and the reliance on legacy OT systems make them easy prey. Because of the critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today