NIST Offering Much Needed Guidance for Neglected SMBs

Friday, August 11, 2017

Avi Bartov


It’s refreshing to see that SMB cybersecurity is getting noticeably more attention on a national level in the United States. Awareness of the risks is growing, and with the Congress and organizations such as the National Institute of Standards and Technology (NIST) publicly playing a larger role in the public discussion, we’re on our way to making some notable inroads.

After all, small to medium-sized businesses account for over 46 percent of the entire output of the private sector in the United States, and therefore they are a vital cog in our overall economic engine. SMBs are responsible for creating 63 percent of all new jobs, yet they have been largely overlooked in the cybersecurity arena as fast-growing threats and opportunities for disruption emerge.

According to NIST researchers, in a recent interagency report (PDF) titled, “Small Business Information Security: The Fundamentals,” while many companies are investing heavily in people, processes, and technology to boost their security posture, “small businesses typically don’t have the resources to invest in information security the way that larger businesses can and so criminals view them as soft targets.”

Usually motivated by profit, most cybercriminals can actually be viewed as small business owners themselves (albeit illegal ones), who like legitimate business owners try to squeeze as much revenue from as few resources as possible. The financial and manpower costs to breach a Fortune 500 company are usually much greater than the few dollars they might spend to compromise a local dry-cleaning chain, and owners must be able to identify and protect themselves from their unique risks.

While attacks are a mix of both random than targeted efforts, there are certain characteristics that serve as “common denominators” for attacks against SMBs. According to research presented at BlackHat 2017, cybercriminals generally target SMBs because of weaknesses in either people, processes or technology.  Any business that requires its employees to have regular access to desktops, laptops, and company email is a more susceptible and enticing target for cyberattacks. A surprisingly high number of systems are still outdated, and unpatched, and therefore highly vulnerable.

Another way to gain the unwanted attention of hackers is to host online customer service portals or other website resources that store customer or company information – and then fail to protect the website properly. SMB owners or IT administrators should understand the risks and best practices that are associated with them. Those who don’t think about enforcing proper policies and training initiatives are also inviting trouble, as this makes a hacker’s task akin to taking candy from a baby. Thus, the welcomed heightened discussion on federal level.

The NIST framework provides the much-needed guidance that organizations of any size can use to identify their major risks in cyberspace, assess their vulnerabilities in people, processes, or technology, improve their ability to prioritize and invest smartly in cyber resources, and demonstrate their good faith efforts to manage risks and safeguard themselves and their customers (which can be crucial to regaining customer trust after a breach).

Having strong people and processes can be just as important to securing information as the technological component, and therefore establishing intelligent policies and proactively seeking guidance can make the difference between an SMB falling victim or successfully mitigating risk.

About the author:Avi Bartov is co-founder of GamaSec (, a global provider of website security solutions for small and medium-sized businesses. A technology executive who led several companies to success in Europe and Israel, Avi has more than 20 years of experience in IT security management and is a graduate of Nanterre University with a degree in international law.

Possibly Related Articles:
Enterprise Security Security Awareness
Information Security SMB cybersecurity security risks
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.