Small businesses are anything but small when it comes to the US economy. According to the Small Business Administration (PDF), there are close to 28 million small businesses in the US. These businesses produce approximately 46% of our nation’s private-sector output and create 63% of all new jobs in the country.

Because of their importance, government agencies like the National Institute of Standards and Technology (NIST) are concerned about the “running lean” reputation attached to small businesses, in particular when it comes to investing in information security. In the recent NIST publication Small Business Information Security: The Fundamentals (PDF), coauthors NIST researcher Celia Paulsen and NIST computer scientist Patricia Toth write, “Because small businesses typically don’t have the resources to invest in information security the way larger businesses can, many cybercriminals view them as soft targets.”

“As a result, they [large businesses] have become a more difficult target for malicious attacks from hackers and cybercriminals,” continue Paulsen and Toth. “Consequently, hackers and cybercriminals are now successfully focusing more of their unwanted attention on less secure [small] businesses.”

SEE: Three baseline IT security tips for small businesses (TechRepublic)

Help for small businesses

The authors felt compelled to help small businesses by providing a security program individuals responsible for the safety of their company’s data can easily implement. “It is possible–and reasonable–to implement a program that balances security with the needs and capabilities of your business,” write Paulsen and Toth. “This publication provides small businesses with basic practices and tools needed to develop an information security program to protect their business’s information.”

To accomplish their goal, Paulsen and Toth take the following into consideration.

How to implement an information security program

The authors discuss security in terms of risk. “By understanding your risks, you know where to focus your efforts,” explain Paulsen and Toth. “While you can never eliminate your risks, the goal of your program should be to provide reasonable assurance that you have made informed decisions related to the security of your information.”

The authors then look at individual elements of risk and how to manage them. As shown in Figure A, taking inventory of company information and assessing the risk incurred from sensitive information being made public or stolen is an important consideration.

Figure A

Actions a small business can take to develop or improve the security of its digital assets

Paulsen and Toth feel the fastest and simplest way to secure a company’s digital assets is by using NIST’s Cybersecurity Framework. The framework helps organize processes and tools used to protect company information. As shown in Figure B the framework divides the mitigation process into five categories: Identify, Protect, Detect, Respond, and Recover. Each process is discussed at length in the paper.

Figure B

Paulsen and Toth also mention that using the Cybersecurity Framework allows for easy dissemination of information between companies that might be experiencing the same security incident.

SEE: Tackle cybercrime with data science using this five-point framework (TechRepublic)

Key practices that can be put into place immediately

Paulsen and Toth take a hard look at how to increase employee awareness regarding information security via training. The authors agree that even though cybercriminals are becoming more sophisticated, they still prefer to use proven attack vectors, which means employees with suitable training should be able to avoid getting duped, especially by phishing schemes and malicious websites. Social engineering is another successful approach used by cybercriminals that can be thwarted by educating employees in the psychology behind social engineering.

SEE: Security awareness and training policy (Tech Pro Research)

Small businesses have more to lose

Small businesses run lean, forcing upper management to favor decisions that have a definite effect on the bottom line, while gambling that digital bad guys will leave their company alone; Paulsen and Toth suggest that may not be in the company’s best interest. Small businesses, according to them, often have more to lose when trying to recover from a security event and the incurred costs, even to where the business could fail.

“Small businesses often see information security as too difficult or that it requires too many resources,” conclude Paulsen and Toth. “It is true there is no easy, one-time solution to information security–it takes time and careful consideration with all relevant stakeholders. However, when viewed as part of the business’s strategy and normal processes, information security doesn’t have to be intimidating.”