Cybersecurity for small business: Understanding the NIST Cybersecurity Framework

Share This Page

The FTC hosted roundtables across the country asking small business owners how we can help you address the challenges of cybersecurity. Based on your feedback, we designed to-the-point tips now available at ftc.gov/cybersecurity. Last week we kicked off a 12-part every-Friday Business Blog series with cybersecurity basics. Today’s topic: what you need to know about the NIST Cybersecurity Framework.

Understanding the NIST Cybersecurity FrameworkOne thing business owners told us at those roundtables was the need for consistent advice from the different federal agencies with expertise in data security and cybersecurity. Message received. That’s why we worked with NIST – the National Institute of Standards and Technology at the U.S. Department of Commerce – to create a new factsheet for small businesses about NIST’s Cybersecurity Framework. The Framework helps businesses of all sizes better understand, manage, and reduce the cybersecurity risks to their networks and data. The Framework is voluntary, but it gives businesses an outline of best practices to help you decide where to focus your efforts. Here’s a summary of how it breaks the task down into five key areas.

IDENTIFY

List all equipment, software, and data you use – laptops, smartphones, tablets, point-of-sale devices, etc. Create and share a company cybersecurity policy that spells out the responsibilities of employees, vendors, and anyone else with access to sensitive information. Think through the steps to take to protect against an attack and limit the damage if one occurs.

PROTECT

The Framework includes some practical “to dos” for protecting your business:

  • Control who logs on to your network and uses your computers and other devices.
  • Use security software. Update it regularly. If possible, automate those updates.
  • Encrypt sensitive data at rest and in transit.
  • Back up data regularly.
  • Have a policy in place for securely disposing of files and devices you no longer have a business need to keep.
  • Train employees in cybersecurity, emphasizing the critical role every member of the team plays.

DETECT

Who’s doing what on your devices and networks? Monitor your computers for unauthorized access, devices (like USB drives), and software. Investigate any unusual activities on your network or by your staff.

RESPOND

Hope for the best? Yes, but plan for how you’ll respond if your business is the target of a cyber attack. Consider how you’ll notify customers and others whose data may be at risk, keep business operations up and running, report the attack to law enforcement and other authorities, and investigate and contain the attack. While the episode is still fresh in your mind, update your cybersecurity policies to reflect lessons learned and test your plan periodically. Of course, cyber crooks aren’t the only threat your network faces. Build into your plan contingencies for weather emergencies or other unexpected events that may put data at risk.

RECOVER

After an attack, restore affected equipment and parts of your network. Keep employees and customers informed about the steps you’re taking to recover.

Learn more about NIST’s Cybersecurity Framework and visit their Small Business Corner. Looking for a down-to-business resource for your employees? Download the FTC’s factsheet on the NIST Framework.

Next week: How cybersecurity begins with strong physical security

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.