Small businesses aren't getting their cybersecurity strategies right, according to new evidence from researchers. And with consequences ranging from data theft to noncompliance penalties, the stakes are high.
The National Institute of Standards and Technology (NIST) is looking to help. With a guide developed for SMEs in need of cybersecurity direction, NIST's latest paper, "Small Business Information Security: The Fundamentals," released last week, aims to shed light on basic cybersecurity measures SMEs must take.
Separate research released this month suggests that, indeed, SMEs need to start with the basics.
Analysts at Clutch found that, despite knowing the risks, small businesses largely continue to use free cloud data storage services, even to store highly sensitive information, like banking and medical information. Free data storage services, the report said, may be an irresponsible choice for SMEs, though the report also found that, regardless of the security of the cloud data storage service, employee mistakes are often to blame for data breaches at SMEs.
NIST, operating under the U.S. Department of Commerce, acknowledged that cybersecurity may not be at the top of SMEs' priority lists.
"However," the institute wrote, "an information security or cybersecurity incident can be detrimental to their business, customers, employees, business partners and, potentially, their community."
"It is vitally important that each small business understand and manage the risk to information, systems and networks that support their business," the report declared.
SMEs A Target
Small businesses, NIST said, are a particularly large target for attackers. In part, that's due to the more stringent security measures that individuals and larger corporations have taken on in recent years. Without massive budgets and resources to allocate to cybersecurity, SMEs become an easy win for cyberattackers.
"Businesses of all sizes face potential risks when operating online and, therefore, need to consider their cybersecurity," the report's lead author, Pat Toth, said in a statement. "Small businesses may even be seen as easy targets to get into bigger businesses through the supply chain or payment portals."
There are other motivations for choosing to attack an SME other than ease, however. Revenge or a desire to cause "havoc" are also common reasons a small business may be targeted.
Making matters even more complicated, it's not only cyberthieves that can compromise a business' data: Environmental disasters could disrupt computer systems, for instance.
Back To Basics
Cybersecurity may not be a top priority for SMEs, and for those business owners that do want to secure their businesses, NIST noted that cybersecurity measures may seem overwhelming.
Still, data protection must be viewed as an overall business plan, the report said. Employees have an expectation that their data will be secure, as do an SMEs' customers.
The first step is to assess a business' risk, whether it be environmental or whether a threat stems from business resources, like equipment failures or a disruption in the supply chain. And, of course, the threat of outside attackers, like hackers, must be acknowledged.
Assessing risk involves examining these threats, as well as identifying vulnerabilities within an organization. It also includes the likelihood of those threats impacting the business, as well as taking into consideration the impact that a data breach or other event will have.
Of course, NIST suggests seeking outside help when SMEs decide to implement a cybersecurity plan. Doing so can help a company set controls within the organization as to who can have access to data, conduct background checks on employees and develop company policies for data security.
Securing equipment and business networks is also key, the report noted, adding that encryption, the safe disposal of old computers and equipment, antivirus programs and other resources are crucial.
SMEs need to develop a plan of action if and when an event occurs, as well as a plan to recover any compromised data.
Safeguarding From All Sides
At a glance, NIST's suggestions for how an SME can implement a cybersecurity strategy include a variety of approaches.
Some are quite technical — like implementing antivirus software or encrypting data — and may require assistance from third-party vendors. Others, however, are more behavioral. For instance, the report suggests that small business owners need to pay attention to employees and other individuals working within the company. Being wary of email attachments or links and separating business from personal activities on devices and online accounts can be easy yet effective ways to protect information.