How Does the NIST Small Business Security Act Affect Your SMB?

2018 brought a lot of change to small business. In the wake of many new cybersecurity threats and breaches, the National Institute of Standards and Technology (NIST) Small Business Cybersecurity Act was passed into law in August 2018, and it requires NIST to provide cybersecurity resources to small and medium-sized businesses (SMBs) to help protect them against future problems.

With the exponential increase in cyberattacks, it is great to see a continued investment in cybersecurity initiatives. Small businesses are not immune to threats and are often not equipped with the IT resources or personnel to protect their networks. The NIST Small Business Cybersecurity Act will provide SMBs with a simplified cybersecurity framework as a starting point for any efforts to protect their businesses from threats.

What is NIST?

NIST is a United States government agency, under the Department of Commerce, that promotes industry competitiveness in all nationally important areas, from communications and cybersecurity to advanced manufacturing and disaster resilience. NIST provides standards and guidelines for the federal government. The Small Business Cybersecurity Act is based on NIST’s Framework for Improving Critical Infrastructure, which provides standards and best practices to protect the nation’s critical infrastructure. This framework, launched in 2014, is also voluntary, but it provides organizations a simple methodology to identify, assess and manage cybersecurity risks. By taking the same simple approach from the framework, the Small Business Cybersecurity Act provides small and medium businesses a simple risk assessment to understand where their vulnerabilities lie, and which actions to take to fix those vulnerabilities.

Why Is This Good News for SMBs?

Small and medium businesses are just as likely to be targeted by hackers as large enterprises and corporations. However, due to their size and limited budgets, they often lack the IT expertise and resources to adequately protect their networks and employees. This new framework will provide SMBs a variety of resources to help them understand the evolving cybersecurity risks, including worksheets and best practices for basic security measures and tools they can implement, as well as methodologies to educate and train employees on cyberthreats and various attack vectors so they can adequately identify and stop attacks. The law also specifies that NIST must provide resources specifically for SMBs in any industry with any type of data or devices in their networks and be technology-neutral.

Many small businesses may not even realize that their data is at risk. SMBs utilizing third-party vendors to manage their networks and data may assume they are not responsible in the event of a breach. However, the authorities and governing bodies will hold the business owner responsible for any breach, no matter who’s fault it was. With third-party breaches taking over the news recently, it is crucial for SMBs of any industry and size to take cybersecurity very seriously and put the right tools in place to protect their network, data and customer information. This new NIST framework will help SMBs take note of the risks third-party vendors can bring, educating business owners to take their time when selecting one.

What Does This Mean for Customers?

Customers of SMBs that implement the NIST Small Business Cybersecurity Act can breathe a sigh of relief knowing that their data is being proactively protected from hackers. Customers may take note of businesses that are not doing enough to protect their personal data, and may start shopping and utilizing companies that do take cybersecurity protection seriously.

As more and more companies experience large-scale breaches, customers are increasingly becoming savvy to which organizations are protecting their data. Companies that aren’t taking adequate measures may come under fire and be less appealing to customers.

Here's What SMBs Should Know:

This framework will be a great resource for SMBs to compare their current network security protection (or lack thereof) to and see what additional security measures they should implement or consider. Since this framework is only voluntary and not required, it may be that not enough small businesses utilize these resources. If more and more breaches are to occur, specifically targeting SMBs, we may see NIST take action and make this framework into a standard that companies must abide by or face penalties.

What Does This Mean for Vendors’ SMB Security Solutions?

Since the framework will not specify security solutions, each security provider will need identify how their solutions fit into the NIST guidelines. Compliant companies are likely to tout their solutions as being in line with NIST recommendations, which will be a key indicator for SMBs as they look for credible solution providers. SMBs should take their time and research options before selecting a vendor to work with. Vendors that specifically cater to SMBs are often more keenly aware of the needs of SMBs and often provide affordable, flexible solutions that simplify complex cybersecurity issues.

The NIST Small Business Cybersecurity Act is a step in the right direction as we continue to encounter an increasingly diverse and rapidly changing threat landscape. Small businesses are particularly susceptible. It’s increasingly important that we offer them more guidance and options for security – and potentially more regulations to protect their customers – in the future. While this law only instructs for the creation of information at this point, this information can be vital to small businesses who have previously lacked the basics to properly protect their company and customers.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.