We’ve learned all so well that no business, large or small, is immune from cybercrime. How can we leverage what small businesses have that many large companies may not. Two of small business’s greatest qualities are the ability to be nimble to adapt to changing conditions and the ability to operate with rather lean resources in order to grow profits. Keeping resources lean internally dictates the need to outsource resources with the expertise and experience to effectively serve the business.
The good news is that overall as an industry, we’re becoming more organized with standards and guidelines that small businesses can use to better prepare. One of these guidelines comes from the National Institute of Standards and Technology (NIST). On August 14, 2018, the federal government enacted the S.770 NIST Small Business Cybersecurity Act. In addition to requiring all federal agencies to implement this framework, it also sets up a standardized model and methodology that any organization can voluntarily adopt to be bettered prepared and more resilient in the event of an attack.
Built and improved over the last several years, this framework at the core breaks down into five sets of functions that an organization can use as their own framework.
Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
Protect – Develop and implement appropriate safeguards to ensure delivery of critical services.
Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
The full set of standards, guidelines, and best practices to manage cybersecurity-related risks with its functions, categories, subcategories, and informative references can be found at https://www.nist.gov/cyberframework.
What Small Businesses should do:
As is the case with most successful businesses, it goes back to having a solid team with a solid strategic plan. Our businesses operate and grow best from some form of a strategic plan. It should be approached no differently with cybersecurity. Now comes the task of building the team.
Ironic as it may seem, the IT profession does not fall under any requirement for industry certification or government regulation. CPAs care for our financial assets and wellbeing. JDs care for our legal assets and wellbeing. PHRs care for your human assets and wellbeing. CPIAs care for your insuring our business and staff. Data is the new currency: customer records, supplier records, accounting records, product data, and production data. Those who are responsible for the care, well-being, and security of these assets - this new currency - would certainly need the same level of fiduciary duty.
Getting started means starting with an assessment. Conducting an internal assessment is the best beginning. Next go to those trusted relationships you have with your attorney, your accounting firm, your insurance provider, and your IT firm. This is your team. Certainly, even large organizations outsource to supplement, complement, and audit their internal departments and processes. This internal assessment will provide your team the essentials to address and develop a more comprehensive plan. This may also give you the insight as to whether your go-to team is the right team with proper capabilities and skill sets to match up to your needs for cybersecurity.