Cybersecurity Fundamentals: Why NIST Still Matter for SMBs
Listen to learn about the new NIST CSF 2.0 Small Business Quick Start Guide and identify the five fundamentals that actually move the needle on your security.
Listen to learn about the new NIST CSF 2.0 Small Business Quick Start Guide and identify the five fundamentals that actually move the needle on your security.
"I can’t think about cybersecurity this week; I’m thinking about 1099s."
If you’ve ever felt that way, you’re not alone. Most small business owners feel that the NIST Cybersecurity Framework (CSF) is a 500-page manual meant for government contractors, not a local hardware store or a growing startup.
In this episode, Jen Stone sits down with Daniel Eliot, the lead for small business engagement at NIST. Daniel explains how NIST has pivoted to create "small-chunk" resources specifically for under-resourced organizations. We break down the new NIST CSF 2.0 Small Business Quick Start Guide and identify the five fundamentals that actually move the needle on your security.
In this episode, we cover:
Jen Stone (MCIS, CISSP, CISA, QSA) is a Principal Security Analyst at SecurityMetrics with over 25 years of experience in the technical information sector. She has completed over 100 high-level security assessments, specializing in PCI, HIPAA, and CIS Critical Security Controls.
Jen started her career in IT operations and has worked across various sectors, including DevOps and development. This broad background allows her to bridge the communication gap between non-technical business leaders and their IT teams. As the host of Practical Cybersecurity, Jen is dedicated to demystifying complex data security and compliance trends to make them actionable for businesses of all sizes.
When she isn't helping organizations secure their data, Jen is a "Women in Technology" mentor, runs the largest aerial arts competition in the world, and is an enthusiast of chicken-keeping and motorcycle riding.
Daniel Eliot: There's nothing more important than resource prioritization when it comes to a small business. You have to make payroll. You have to make the bread for tomorrow's potato production, or you need to do whatever all the million things you have to do. And so cybersecurity is just one piece of that.
Jen Stone: Hello, and welcome back to Practical Cybersecurity. I'm Jen Stone. I'm one of the principal security analysts here at Security Metrics. I'm very excited about today's topics. It is NIST for small businesses. Yes, this can happen. And we have Daniel Eliot here. He's the lead for small business engagement within the National Institute of Standards and Technology, Applied Cybersecurity Division. I would love to start by learning a little bit about your background, your career journey, and how your experiences other places kind of have shaped your approach to NIST.
Daniel Eliot: I worked for the Small Business Development Center, where I was helping small businesses start to scale. Back in 2014, this published this newfangled thing called the NIST Cybersecurity Framework. And I was like, this is a great resource, but how do we apply it to small businesses? And so we got a grant from the SBA and developed a small business resource, and a whole program to help small businesses in Delaware kind of improve their cybersecurity using language that a small business owner that's not a technical expert, not a cybersecurity technical expert, could understand.
Jen Stone: I love that. I think there's a big misconception out there that this can't be used or shouldn't be used for small and medium businesses, but there's an entire focus of it at the agency. Could you give us like an overview—what is NIST, first of all?
Daniel Eliot: This is part, as I said, of the U.S. Department of Commerce, and we develop cybersecurity and privacy standards, guidelines, best practices, and resources to really meet the needs of U.S. industry. Tying it back to small business, you know, we actually have two kind of taskings from Congress that task NIST with creating voluntary, free resources that small businesses can use to improve their cybersecurity risk management. In response to that, we created the Small Business Cybersecurity Corner, which is a website that houses, I think at this point, well over 70 different resources, all tailored to small businesses. And they include short videos, tip sheets, case studies, and quickstart guides, organized by both topic and by industry.
Jen Stone: That's just kind of to rest a couple of the myths that I hear all the time, which is NIST is for businesses that are specifically related to the government really only, which I don't think is true.
Daniel Eliot: All of our resources are available to any organization. Really, anybody could take that and use it to make improvements to their cybersecurity risk management or privacy risk management or whatever it is.
Jen Stone: Yeah. Maybe can you just give us a high-level understanding of what the CSF is?
Daniel Eliot: The CSF, the Cybersecurity Framework, is a free, voluntary framework to help organizations—regardless of your size, your sector, or your cybersecurity maturity—to help you better understand, assess, and prioritize—and I want to come back to that word prioritize—and communicate about cybersecurity efforts. It's organized into six high-level functions of Govern, Identify, Protect, Detect, Respond, and Recover.
Jen Stone: It sounds like you provide actionable, small-chunk resources that small businesses can apply to their organizations.
Daniel Eliot: I recognize, I'm one of the people that said, "Hey, NIST, this cybersecurity framework is too big for small business." And so when I joined, one of the first opportunities I got was to develop a Small Business Quick Start Guide for the Cybersecurity Framework 2.0. And what it does is it extracts a lot of key insights and key steps that a small, under-resourced organization could realistically achieve. Now, that's not to say it includes everything, because when we say small business, that really is quite diverse, right?
Jen Stone: Right. Yeah.
Daniel Eliot: You know, that could be a hardware store in a local community, or that could be a very sophisticated biotech business that is doing work with the federal government. Small businesses is a very diverse population. But these resources, these primers, really help a small, under-resourced organization who might not have a cybersecurity expert in-house to begin to understand some basic steps they can take to better protect their organization, to make their business more resilient in the face of increasing cybersecurity risks. So when you look at the Cybersecurity Framework, you might not use all of it. And so that's why the Small Business Quick Start Guide is a useful tool for under-resourced organizations, because it helps focus that prioritization, because there's nothing more important than resource prioritization when it comes to a small business. Right. You don't only have cybersecurity to worry about. I recognize that you have to make payroll. You have to make the bread for tomorrow's potato production, or you need to do whatever all the million things you have to do. And so cybersecurity is just one piece of that. The Cybersecurity Framework helps organizations create a structure and a foundation from which you can build out a cybersecurity risk management strategy.
Jen Stone: I would love to hear like an example or two of what does this Quick Start Guide recommend? If an SMB comes along and says, "Okay, I'm going to give it a shot," what can they expect from that?
Daniel Eliot: So the Quick Start Guide provides a subset of cybersecurity outcomes from the "big" CSF. And so in that subset are really some of the ones that as I was building it I thought a small business should be prioritizing, and as we socialized it, I got concurrence from small business stakeholders. And so some of those examples would be right within Governance. Do we have someone in our organization who is responsible for cybersecurity risk management? And making sure that we're meeting our legal regulatory requirements, that our staff are being trained, that we're documenting some of those requirements, that we understand how cybersecurity can impact our mission. If I'm an e-commerce company, gosh, if my e-commerce platform goes down because I didn't patch it or I didn't update my software, now a cybercriminal has taken advantage of me not patching that software, and I don't have access to my e-commerce platform. And that's the main way I run my business. That right there is a huge impact on my business. If I'm an intellectual property attorney, maybe I'm a solo IP attorney and a criminal accesses my customer's IP records. That's a huge "no-no" for my business. So do we understand what the most critical assets for our business are, so that we can then understand the appropriate safeguards to protect them? Because when it comes back to that prioritization, small businesses get overwhelmed and they think, "I need to do everything all at once; I need to protect everything at the same level." Just take a moment and first recognize who's responsible—who's going to take the lead for this. Because if everyone is responsible, nobody is responsible for our most critical assets that we need to be protecting. First start. And then how do we begin to protect them? It's an iterative process. It's cyclical as technologies change or businesses change. So we have to come back to cybersecurity risk management every now and then and understand if we're still protecting what we need to protect. But I think those are some of the pieces that are in the Small Business Quick Start Guide.
Jen Stone: Excellent. Yeah. Having a guide gives you a way to go back and say, "Now I am going to look at these elements and make sure—where are we at with them?" Let's start somewhere. And sometimes just the act of starting somewhere can be overwhelming if you don't have someone saying, "Here's your checklist, here's some advice on starting somewhere." Because once you've started, then you can improve from there. But if you haven't started, things are just going to stay chaotic.
Daniel Eliot: And that's why I also encourage—even in the Quick Start I would say—find someone who can help you with this. So we're really encouraging small businesses to reach out into their local community, whether that is engaging an MSP or MSSP, whether that is looking at their local Chamber of Commerce to find a cybersecurity person to help them think through this. Because a small business owner, as you said, is wearing so many hats and cybersecurity is not easy. It is complex. And so finding someone who can help you with this if you don't feel comfortable doing it yourself—find someone who can help you do that.
Jen Stone: Absolutely. What do you say to groups that are like, "Well, I've started something, I just don't know how well we're doing"? When I want to know if I'm successful at this or not, what does a good, successful cybersecurity program look like?
Daniel Eliot: Continuous improvement is a successful cybersecurity program. Recognizing that it's not a "set it and forget it," that we are regularly revisiting our cybersecurity plan. If something happens, who do we turn to? Who do we call? What are our first steps? And then we revisit that annually. And so as we continue to grow our business, that business probably gets more complicated as far as our IT infrastructure. And so we want to be sure that if we're collecting more data, or we're sending out more data or creating more data, how are we continuing to step back and ask ourselves: "Are we making a reasonable effort to protect our customer data, our own data, and devices?"
Jen Stone: I love that answer, because being aware that there's always something to learn and you can always improve it seems like the way to approach it. I think you're uniquely placed to have your ear to the ground on what's going on broadly in terms of cybersecurity, especially among small and medium businesses. What is your sense of doom or hope? How are you feeling about SMEs and cybersecurity?
Daniel Eliot: There are increasing demands when it comes to legal, regulatory, and contractual requirements on small businesses. And meeting cybersecurity standards or insurance—if you want to get cybersecurity insurance, you have to meet certain criteria. And so I look at it as a competitive advantage for small businesses in this environment where you can easily lose your competitive advantage by not taking cybersecurity seriously, particularly with as much as we rely on the internet and technology to run an efficient, profitable business today.
Jen Stone: Excellent. Well, if you could give one piece of advice to small business owners about cybersecurity, what would that be?
Daniel Eliot: My piece of advice would be to follow the fundamentals. There are some core fundamentals of cybersecurity that even larger organizations get wrong sometimes, like enabling multi-factor authentication, like patching our software, like backing up our data, and reviewing administrative privileges so that I don't have staff who are using admin rights to do day-to-day tasks. When an employee leaves or when a contractor leaves—is fired or whatever else—are you removing access from them at the right time? Before you give employees access to email, are you training them on your expectations? Are you teaching them about cybersecurity basics? These are some fundamentals that really go far in protecting a business of all sizes.
Jen Stone: Excellent. I love that you said how important the fundamentals are, especially when you're getting started, but even all the way along. It sometimes might feel like we're repeating ourselves with "Do you have multi-factor authentication in there?" or "Are you using your passwords?"—all of these basic things. But the reason we keep talking about them is because they continue to be important. They continue to be the way that you can prevent cyber attacks from being successfully executed. That's excellent advice. Is there anything that we've missed? I want people to definitely go over to the Small Business Cybersecurity Corner at NIST and take a look and see what you have out there. But are there any other topics that I didn't quite cover during this conversation?
Daniel Eliot: At NIST, we are continuing to develop small business resources and outreach. And what I'm not trying to do is create a bunch of new "top ten" lists or whatever it is on cybersecurity. There are a lot of resources out there already for small business cybersecurity. What I'm trying to do is create easier pathways into NIST's foundational guidance and resources, and to create opportunities for small businesses to directly engage with NIST, such as through communities of interest that are for small businesses or through events. I'm regularly not only just talking—which I talked a lot on this podcast—but I'm also listening. I want to hear from small businesses. And so if you have particular pain points, if you have particular resources you want to see—part of engagement is not just talking, it's listening. And so I want to represent that part of my job. And that's why I do a lot of events like this, do a lot of webinars, and try to do in-person talks when I can to make sure that I'm continuing to engage with small businesses, understand what they need, and engage with them in meaningful ways. And so, I invite listeners to engage and to participate and to let your voice be heard.
Jen Stone: Excellent. Well, thank you for spending time with me today and letting people know about the programs that you have going on there. I'm going to go take a second look, and I appreciate your explaining it to our listeners.
.svg)