Cybersecurity Standards for Small Business, NIST IR 7621
Small businesses should follow the information security (cybersecurity) standards published by the National Institute of Standards and Technology (NIST), in Interagency Report 7621 (NIST IR 7621). The document may be used to develop a business Written Information Security Policy (WISP).
NIST is a partner with the Small Business Administration (SBA) and the Federal Bureau of Investigation (FBI) in an information security awareness outreach to small businesses. NIST developed NIST IR 7621 as a reference guide for small business. It presents the fundamentals of a small business information security program in non-technical language.
Small businesses have less expertise and fewer resources than big businesses for implementing a cybersecurity program. This may be viewed as a weakness by criminals, making small businesses a target for attack.
There are several benefits by following the cybersecurity guidelines in NISTIR 7621:
a) Target hardening making a small business a more difficult target for cybercriminals to attack and penetrate. Criminals are more likely to attack an easy target than a target with a strong defense. The cost to implement a security program is less expensive than the potential loss of time, customers, business, and reputation, and lawsuits due to negligent security.
b) Reduced liability risk following published security standards from the NIST reduces the risk of a data breach and lawsuits from clients and customers, demonstrates good faith on the part of the small business to use reasonable care to protect information and systems from attacks, theft, malfunction, and disasters.
c) Helps to qualify for cyber insurance to protect against major losses. Insurance companies require certain security measures before they will issue a cyber insurance policy. They ask about computer system operations and security on the insurance application.
NISTIR 7621 has several sections. Section 2 describes basic security for all small businesses. Section 3 describes policies for a higher level of security. Section 4 provides additional guidelines for business continuity planning, disaster recovery, cost reductions, and writing security policies.
Some businesses may also be required to comply with state and federal laws and regulations on data security and privacy such as HIPAA, SOX, PCI DSS, FERPA and others for medical, financial, banking, credit card, education, legal and other records.
2.0 Absolutely Necessary Cybersecurity Actions for Small Business
2.1 Manage Risk conduct a risk assessment to identify risks, implement protection to eliminate or reduce the identified risks, conduct annual IT security review by independent auditor.
2.2 Install antivirus, anti-malware, anti-spyware software use and update on a regular basis, set for auto-update and auto-scan once per day, employees working at home must use same protection as at work.
2.3 Install a hardware firewall such as a router between internal network and the Internet, employees working at home must use same protection as at work. Default weak Admin password must be changed to a strong password.
2.4 Install a software firewall on each computer used, either Windows firewall or commercial software firewall.
2.5 Install all software updates to operating system and applications promptly, use auto-update where available.
2.6 Make backup copies of important data files on a regular schedule, use auto-backup if possible, store on removable media or cloud storage provider (using encryption), test backup copies periodically by restoring some files, make a full backup once a month and store it offsite in a protected location.
2.7 Control physical access to computers and network, lock up computers when not in use, keep screen hidden from others or use privacy screen, prevent cleaning crew, maintenance and repair people from gaining access.
2.8 Secure wireless networks do not broadcast SSID, change admin password from default value to strong password, do not use WEP encryption, use WPA or WPA-2 with AES encryption.
2.9 Conduct security training on a regular basis, initial training for new employees, refresher training for all employees, review security policies for protected data, develop a culture of security, have employees sign a statement agreeing to follow security policies.
2.10 Require separate user account for each user to operate from, with limited privileges, only system manager may have full admin privileges. Strong passwords required, using random sequence of upper, lower case, numbers and special characters, at least 12 characters.
2.11 Limit access to systems and data on a need to know basis, limit authority to install software, do not allow a single person to initiate and approve a transaction.
3.0 Highly Recommended Cybersecurity Practices
3.1 Do not open email attachments unless you are expecting the email from a trusted sender.
3.2 Do not click on web links in email, instant messages, social media unless it is a known trusted link.
3.3 Watch for harmful pop-up windows and other hacker tricks, close pop-up windows by clicking on the X in the upper right corner of the pop-up window or turn on pop-up blocker in the web browser. Do not insert CDs, DVDs, or USB drives from an unknown or untrusted source, disable Auto Run for USB ports, CDs and DVDs.
3.4 Use a secure browser connection (https) for online business and banking, after your online business session, erase web browser cache including temporary internet files, cookies, and history.
3.5 Exercise due diligence in hiring employees including criminal background check, sexual offender check, credit check, and call references and former employers, call schools to verify attendance, grades and degrees earned.
3.6 Use a standard user account when online, not an administrative user account, administrative rights can allow malicious software to install itself.
3.7 Do not download software from unknown websites, website must be a trusted website such as a major corporation, well-known vendor, or scanned by anti-malware software.
3.8 Get training or help with information security when needed, take classes and webinars at your local SBDC, SCORE office, SBA office, community college, webinars from trusted vendors. Before hiring a security consultant check references and qualifications.
3.9 Dispose of old computers and media securely use secure delete or disk wipe to destroy data on hard disks (standard delete and formatting does not erase data), destroy old CDs, DVDs, floppy disks, shred paper documents with a crosscut shredder or incinerate.
3.10 Protect against social engineering do not give personal or confidential information to any unauthorized person by phone, email or other means. Criminals may use information found on websites and social media to gain your confidence to reveal information.
3.11 Create an asset inventory of hardware, software, and information, update annually.
3.12 Use encryption for business information such as BitLocker, Encrypting File System (EFS), use full disk encryption when available, write down the encryption key and store it in a safe place, encrypt data on mobile devices such as smartphones, tablet PCs, and laptop PCs, encrypt removable media such as USB flash drives, CDs, DVDs, memory cards.
4.0 More Advanced Cybersecurity Practices (see NIST IR 7621 for details)
4.1 Contingency Planning and Disaster Recovery
4.2 Cost Avoidance Considerations in Information Security
4.3 Create Business Policies for Information Security
1. Download NIST IR 7621, original release, October 2009
2. Download NIST IR 7621, revision 1, draft, December 16, 2014
Protect your small business by following basic and advanced cybersecurity standards and best practices in NIST IR 7621.
Please share this blog post with other small business owners.
[This information is not legal advice or security advice. ]