Recognizing that 60% of small businesses fail within six months of suffering a data breach, in November 2016, the National Institute of Standards and Technology (“NIST”) issued a cybersecurity guide for small businesses to help keep their sensitive data and computer systems secure, publishing the Small Business Information Security: The Fundamentals, which sets forth various measures they can implement to protect their customers’ personal identifying information.
In issuing the small businesses cybersecurity guide for small businesses, NIST is seeking to disabuse such entities that (1) they are too small to be targeted by hackers and (2) that it is too costly for them to take reasonable steps to protect sensitive data. In fact, both premises are false and, the failure to act by instituting reasonable and affordable data policies to safeguard data, places their businesses at risk. As explained by NIST, “the guide is written for small-business owners not experienced in cybersecurity and explains basic steps they can take to better protect their information systems.” See NIST News Release Here.
Cyber-attacks, whether perpetrated by individual hackers, state actors, organized syndicates or loosely affiliated, sophisticated criminals seeking intelligence and/or proprietary information or to profit from stolen data or both, is a reality. Nary does a week pass without organizations of all sizes reporting a data breach where the personal identifying information of their customers, members, clients and/or employees were exposed.
As hackers choose their mark indiscriminately, seeking only a vulnerable network to penetrate that maintains the information they seek, the cyber-attacks have hit a broad cross-section of industry. Consequently, no industry or organization, from big to mid-size to small, should be harboring the mistaken belief that they will not draw the gaze of a hacker. Target, Home Depot, JP Morgan Chase, Sony (twice), Anthem, Yahoo! (three times), Michaels, plus numerous regional chains and restaurants, as well as smaller businesses have all suffered security breaches resulting in the disclosure of personal identifying information, private health information and trade secrets.
With respect to small businesses, Symantec’s 2016 Internet Security Threat Report found that, overall, they are the targets of phishing attacks 43 percent of the time. Moreover, reports indicate that 9 out of 10 small businesses do not have written employe data polices in place, let alone cybersecurity employee training to educate employees of any standards, policies and procedures that may be in place to protect and safeguard sensitive information. Indeed, as part of any effective employee cyber-training program, educating employees concerning phishing scams, social engineering, spoofing, malware, ransomware and viruses is an essential, inexpensive component to reducing the risk of hacking, particularly since employees are widely reported to be the most vulnerable link in the data security chain, inadvertently clicking on malicious links that grant hackers access to computer systems and sensitive information.
The NIST guide for small business, borrowing from NIST’s 2014 Framework for Improving Critical Infrastructure Cybersecurity, which is designed to protect the nation’s critical infrastructure, provides simplified, cost-effective recommendations that small businesses can institute to protect their data. The guide includes, among other things, tools for conducting basic cyber risk assessments, to identifying and classifying data, to developing employee data security policies.
According to NIST, the guide describes how to:
- limit employee access to data and information;
- train employees about information security;
- create policy and procedures for information security;
- encrypt data;
- install web and email filters
- backup data and maintain a disaster data restoration policy; and
- patch, or update, operating systems and applications.
In addition, NIST also suggests that small businesses considering “installing surge protectors and uninterruptible power supplies to allow employees to continue to work through power outages and to save data,” purchasing cybersecurity insurance and finding reputable cybersecurity contractors.
As the NIST guide and cyber-related studies make plain, small businesses are regularly exposed to cyberattacks from which they may be unable to recover. The implementation of reasonable, cost-effective policies to protect sensitive data, along with informative employee training are important tools that small businesses can use to reduce the risk of data breaches that proves fatal and should be considered by all such organizations.