Skip to main content

The FTC hosted roundtables across the country asking small business owners how we can help you address the challenges of cybersecurity. Based on your feedback, we designed to-the-point tips now available at Last week we kicked off a 12-part every-Friday Business Blog series with cybersecurity basics. Today’s topic: what you need to know about the NIST Cybersecurity Framework.

Understanding the NIST Cybersecurity FrameworkOne thing business owners told us at those roundtables was the need for consistent advice from the different federal agencies with expertise in data security and cybersecurity. Message received. That’s why we worked with NIST – the National Institute of Standards and Technology at the U.S. Department of Commerce – to create a new factsheet for small businesses about NIST’s Cybersecurity Framework. The Framework helps businesses of all sizes better understand, manage, and reduce the cybersecurity risks to their networks and data. The Framework is voluntary, but it gives businesses an outline of best practices to help you decide where to focus your efforts. Here’s a summary of how it breaks the task down into five key areas.


List all equipment, software, and data you use – laptops, smartphones, tablets, point-of-sale devices, etc. Create and share a company cybersecurity policy that spells out the responsibilities of employees, vendors, and anyone else with access to sensitive information. Think through the steps to take to protect against an attack and limit the damage if one occurs.


The Framework includes some practical “to dos” for protecting your business:

  • Control who logs on to your network and uses your computers and other devices.
  • Use security software. Update it regularly. If possible, automate those updates.
  • Encrypt sensitive data at rest and in transit.
  • Back up data regularly.
  • Have a policy in place for securely disposing of files and devices you no longer have a business need to keep.
  • Train employees in cybersecurity, emphasizing the critical role every member of the team plays.


Who’s doing what on your devices and networks? Monitor your computers for unauthorized access, devices (like USB drives), and software. Investigate any unusual activities on your network or by your staff.


Hope for the best? Yes, but plan for how you’ll respond if your business is the target of a cyber attack. Consider how you’ll notify customers and others whose data may be at risk, keep business operations up and running, report the attack to law enforcement and other authorities, and investigate and contain the attack. While the episode is still fresh in your mind, update your cybersecurity policies to reflect lessons learned and test your plan periodically. Of course, cyber crooks aren’t the only threat your network faces. Build into your plan contingencies for weather emergencies or other unexpected events that may put data at risk.


After an attack, restore affected equipment and parts of your network. Keep employees and customers informed about the steps you’re taking to recover.

Learn more about NIST’s Cybersecurity Framework and visit their Small Business Corner. Looking for a down-to-business resource for your employees? Download the FTC’s factsheet on the NIST Framework.

Next week: How cybersecurity begins with strong physical security

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Get Business Blog updates