The National Institute for Standards and Technology, usually referred to as NIST, has many valuable resources, including resources for computer security. The NIST Cybersecurity Framework (NIST CSF) and the NIST 800 series are familiar to most people in the information security industry. The NIST standards are commonly used not only by organizations that are bound to them by regulatory or contractual reasons, but also by those in search of solid guidance for information security topics for general controls.
In August, President Trump signed a congressional act that requires NIST to provide guidance and resources for small businesses to “identify, assess, manage, and reduce their cybersecurity risks.” While voluntary, if history is any guide, these resources should prove valuable for these small businesses looking to improve their cybersecurity program and in turn lower the risks to their organizations.
Why Do Resources Directed to Small Businesses Matter?
Small businesses face many challenges. They often don’t have fully defined IT functions, let alone information security functions, yet they face many of the same information security threats as larger companies.
They are often under great pressure by their business-to-business customers to meet certain information security requirements. One of the most common issues that I hear about from small businesses is that they are spending a lot of time working to fill out vendor questionnaires and demonstrate that they have secure systems and processes. For many smaller companies, these vendor questionnaires can be time consuming and burdensome. Specific guidance about information security from NIST may be helpful for organizations looking for a good place to start, but for whom some of the more comprehensive standards may be overwhelming.
The First Step – Identify
Often, one of the biggest challenges that organizations looking to increase their information security face is how to prioritize efforts. Protecting systems and data can seem daunting, especially in the face of a constant barrage of news stories about data breaches and cyber attacks. For an entity with little to no security program, knowing where to start is often unclear. Hopefully these new NIST resources will provide guidance on what is most important for smaller enterprises to focus.
My advice is always to start with a risk and data driven approach. The first step should be to understand what data and systems you have, and identify the threats to them. Without a full understanding of what you have, it is nearly impossible to determine how to direct information security efforts and resources. It is essential to understand not only what data you have, but where it came from, who owns it, where and how it is stored and who has access, with whom it is shared, and how it is retained and destroyed. Once you have a good handle on this, it is much easier to determine what security controls are appropriate. Once the identify step is complete, the assess, manage, and reduce steps will become much easier.
Will it Help?
There are many resources already available for businesses looking to increase the effectiveness of their information security program, so it is easy to wonder if another resource will make a difference. Hopefully, direct guidance from NIST, created specifically for small businesses, will give them direction and will be referenced and used.