Protecting Your Nest With NIST

Founded in 1901, the National Institute of Standards and Technology (NIST) serves as America’s “standards laboratory.”  A part of the U.S. Department of Commerce, NIST initially assembled standards and measurements for electricity, temperature, time and the like.  Today, NIST provides technical leadership on a wide range of issues affecting the American economy.  That includes setting the standards for small business cyber security.

“NIST is the de facto gold-plated standard for cyber security,” says Don Thompson, CEO of Capital Network Solutions in Sacramento.  “If you can say that your business is NIST-compliant, then you’re in great shape.”

According to recent statistics, cyber criminals are increasingly targeting small businesses.  Meanwhile, a recent spate of high-profile cyber attacks on hospitals and city governments only underlines the dangers of both malicious hackers and inattentive employees.  However, whether because of low funds or less knowledge, small businesses tend to overlook necessary cyber security measures.  Unfortunately, the effects of a data breach on a small business can be devastating:

  • 43 percent of cyber attacks target small businesses.
  • 14 percent of small businesses rate their cyber defenses as “highly effective.”
  • 60 percent of small businesses shut down within six months of a cyber attack.

NIST bridged that knowledge gap earlier this year when they published Small Business Information Security: The Fundamentals.  This 54-page document outlines NIST best practices regarding the fundamentals of cyber security.  Moreover, it presents the information in non-technical language that is accessible to anyone.

NIST recommends a five-pronged approach to cyber security:

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Understanding and Managing Risks

NIST Best Practices

The first thing that every business needs to do is catalog their threats and vulnerabilities.  By understanding your risks, you get a better idea of where to focus your cyber security efforts.  Some of the most common risks include:

  • Environmental (fire, flood, tornado, earthquake)
  • Business Resources (equipment failure, supply chain disruption, inattentive and untrained employees)
  • Hostile Actors (hackers, hacktivists, criminals, nation-state actors)

You should also identify what types of information your business stores, and document how that information gets used.  While your small business may not store PII (personally identifiable information) on your customers, it probably does for your employees.  Determine the value of your company’s data by developing an inventory of the data, and then inventory your IT hardware, software and applications.

Small Business Information Security: The Fundamentals shows how small businesses can provide essential security for their information, systems and networks.  You can check out the entire document online, but we distilled it down to this handy checklist.

SMB CYBER SECURITY — NIST BEST PRACTICES

IDENTIFY

  • REVIEW who has access to your business information by vetting all accounts and privileges

  • CONTROL who can access your business information and systems:

      • Use unique, complex passwords on all accounts.
      • Utilize the session lock feature included with most operating systems.
      • Set the system auto-lock to 15 minutes or less.
  • CONDUCT background checks on all prospective employees.

  • REQUIRE individual user accounts for each employee and service.

  • CREATE policies and procedures for information security:

      • Train and publish policies and procedures for new employees.
      • Require employees to sign a statement stating they have read and understood the policies.
      • Review and update the policies and retrain staff at least once a year.
  • CONSIDER instituting cyber security awareness training to reduce vulnerability to phishing attacks.

PROTECT

  • LIMIT employee access to data and information:

      • Wherever possible, do not allow any employee to access all your business information.
      • Forbid a single employee from initiating and approving a transaction, financial or otherwise.
  • INSTALL surge protectors or an unlimited power supply (UPS) on all systems and test before use.

  • PATCH your operating systems and applications regularly.

  • ACTIVATE software and hardware firewalls on all business networks.

  • DEPLOY spam filters for web and email.

  • RUN a vulnerability scan and a penetration test at least once a year.

  • DISPOSE of old computers and media safely.

  • ENCRYPT all data on all workstations, laptops and mobile devices.

  • SECURE all wireless access points (WAPs):

      • Change all default administrative passwords.
      • Do not broadcast SSID.
      • Use WPA-2 with AES.
      • If you provide wireless access to customers, separate it from your business network.

DETECT

  • EMPLOY and update anti-virus protection, as well as spyware and other malware programs.

  • SET alerts on anti-virus, spyware and malware programs.

  • MAINTAIN logs of:

      • Servers and workstations.
      • Network Equipment such as firewalls, switches and WAPs
  • IMPLEMENT Security Information and Event Management (SIEM).

NIST cyber security framework

RESPOND

  • CREATE an emergency plan for disasters and information security incidents. The plan should include:

      • Roles and responsibilities
      • What types of activities constitute a security incident.
      • What to do with your information systems
      • Who to call in case of an incident.
      • When to notify appropriate authorities
  • KNOW the data protection and notification laws for your area and include any relevant information in your emergency plan.

RECOVER

  • CAPTURE full backups of critical business data and information to ensure a quick recovery:

      • Perform backups on any device that stores PII or essential business data.
      • Encrypt all backups and store them off-site.
      • Test backup and restore functions regularly.
  • MAKE incremental, encrypted backups of PII and critical business data.

      • If possible, store at least 52 weeks of incremental backups.
      • Encrypt all backups and store them off-site.
      • Test backup and restore functions regularly.
  • CONSIDER purchasing cyber liability insurance to cover revenue lost due to downtime, as well as costs related to customer notification, credit monitoring services and civil case judgments, as well as related fees and fines. However, before you purchase:

      • Determine your business risks before buying a policy.
      • Research the protections and services offered by each provider.
      • Review what type of events get covered by the policy.
  • IMPROVE your processes and procedures and UPGRADE your technologies moving forward.

ADDITIONAL TIPS FOR WORKING SAFELY AND SECURELY

  • Pay attention to the people you work with and around.
  • Be careful of email attachments and web links.
  • Use separate personal and business computers, mobile device and accounts.
  • Do not connect untrusted storage devices or hardware into your computers, devices or networks.
  • Be careful about downloading software.
  • Do not give out personal or business information.
  • Watch for harmful pop-ups.
  • Use strong passwords.

HOW CNS CAN HELP

At Capital Network Solutions, we possess over three decades of experience securing IT infrastructures for small businesses.  We have the tools, the knowledge, the partnerships and the expertise to bring your business in line with NIST best practices for cyber security.   If you are concerned the information security of your small business, call CNS at (916) 366-6566 to set up a free consultation.