What is the NIST 7621 Cybersecurity Framework, and How Can it Help Small Businesses?

Cyber attacks and ransomware threats on small businesses may not reach the headlines, but they pose a serious risk to businesses and their consumers. Small businesses are the core of the economy and represent 99% of all US enterprises. Given the sheer number of small businesses, in addition to the fact that they have the weakest cybersecurity compared to larger enterprises, malicious actors specifically target these low-hanging fruit. Small business cyber risk continues to increase each year and has resulted in millions of dollars, as well as entire businesses, lost. Large companies invest heavy resources into their security teams, while SMBs may not have proper security and mitigation services in place, putting them at risk. To quote the Acronis Cyberthreats Report, SMBs face an existential threat due to “increases in attack automation and supply-chain attacks against their IT service providers.” 

NIST Interagency Report 7621 (NISTIR 7621)

Organizations can try to develop a set of relevant security controls on their own via an internal risk assessment process. Alternatively, they can comply with a prescribed set of guidelines. The latter method usually involves adapting to a prebuilt framework and provides more consistency and coverage in control selection, implementation, and scalability.

Published in 2009 and revised in 2016, the NIST Interagency report 7621 (NISTIR 7621) was developed as a reference guide on cybersecurity standards for small businesses. If you are a small business trying to gain an understanding of where to start implementing organizational security practices, the NISTIR 7621 report defines the fundamentals of small business information security in non-technical language. 

How the NISTIR 7621 Helps Small Businesses

NIST understands that all businesses were not created equal and that SMBs would be stripped of critical resources were they to implement more comprehensive security frameworks. The simplicity of the NISTIR 7621 proves to be of great value to SMBs who don’t have dedicated security personnel with technical backgrounds. The revised guide is based on NIST’s Framework for Improving Critical Infrastructure Cybersecurity, which was issued in 2014 as part of efforts to protect the nation’s critical infrastructure. Its simple vocabulary enables efficient communication and its overall design helps businesses identify, detect, protect, and respond to cybersecurity risks.

Small businesses often view security programs as daunting and expensive. Indeed, there is no easy, one-and-done solution to cyber security. It is important to keep in mind that just as there is a cost involved in protecting information and IT systems, there is a greater cost of not protecting those assets. When put into the context of a business strategy and operational efficiency, implementing a cyber security policy for small businesses offers tremendous benefits.

Costs of Data Breach and Cyber Incidents

Twenty-three percent of small businesses and 43% of businesses overall were targeted by cyber-attacks in 2020, according to a study commissioned by specialist insurer Hiscox. The same report finds that the average financial cost of cyber-attacks to U.S. small businesses with less than 250 employees was $25,612.

While some cyber-attack expenses are easy to quantify, there are also indirect costs that are more difficult to put into numbers. These include but are not limited to:

• Regulatory fines and settlements
• Disclosure costs
• Reputational loss, loss of future business
• Disruption of business operations and manufacturing

Benefits of Following the Guidelines in NIST 7621

1. Adopting a framework, even the most basic one, makes a small business a more elusive target for malicious actors. Attackers look for vulnerabilities and security gaps that allow entry into a network. 

2. The expense of implementing a basic security program is far more cost-efficient than the crushing financial damage of a data breach or cyber attack.

3. Following a published set of standards can reduce liability risks such as lawsuits from clients and customers. Doing proper due diligence builds brand trust by demonstrating that sufficient steps were taken to protect sensitive consumer information and systems from attacks, theft, malfunction, and disasters.

4. Cyber insurers demand a minimum of requirements with the application for a cyber insurance policy.  Proving your cyber resilience by adopting a NIST framework can help you get approved with better terms.

Structure of the Publication

The NISTIR publication walks SMBs through a simple risk assessment to gain insight into their security vulnerabilities. The revised edition, published in 2016, reflects changes to digital technology and regulations.

Based on NIST’s core security values: identify, protect, detect, respond, and recover, the guide is divided into these 3 main sections:

• Risk management
• Data Protection
• Working Safely and Securely

 In the rest of this article, we’ll briefly run through the guidelines presented in the publication. 

Risk Management

• Understanding and Managing Your Risks

Identifying and understanding your risks will help you focus your security efforts. Risks can never be completely mitigated, but the goal is to provide “reasonable assurance” that your security decisions are based on accurate and relevant information.

• Elements of Risk

The scope of risk is very broad. Common risks that pertain to information security include environmental risks, equipment failure, and supply chain disruptions. Each type of threat will have a different effect on businesses depending on their industry, location, or size.  Measuring the impact and likelihood of a threat actualizing will help determine what type of protection to put in place.

• Managing Your Risks

Risk management is successful when professionals across the organization collaborate to make informed decisions. This section contains basic steps for creating a risk-based security strategy.

1. Identify what information your business stores and uses
2. Determine the value of your information
3. Develop an inventory and/or map
4. Understand your threats and vulnerabilities

• Consult With Professionals

You may need to outsource your information security needs to service providers and third parties. You can use an automated risk and compliance management platform to give you all the tools to do it yourself. Doing your due diligence in researching reliable vendors will protect your business.

Data Protection

Safeguarding Your Information

• Identify:
  • Control who has permission to access your business information. Determine whether administrative privileges, passwords, or multifactor authentication is required.
  • Identify who can physically access your computer system, including maintenance crews and technicians. Avoid “shoulder surfing” where people walking by a screen can see sensitive corporate information. 
  • Conduct background checks
  • Set up individual accounts for each employee
  • Create policies and procedures for information security

• Protect:
  • Limit employee access to data and information
  • Install surge protection and uninterruptible power supplies
  • Patch your operating systems and applications
  • Install software and hardware firewalls
  • Secure wireless access points
  • Set up web and email filters
  • Use encryption for sensitive information
  • Dispose of old computers and media safely
  • Educate your employees

• Detect:
  • Install and update anti-virus, spyware, and other malware programs
  • Maintain and monitor logs

• Respond:
  • Develop a disaster recovery plan for information security incidents. It should include:

• Roles and responsibilities
• What to do with information systems in case of an attack
• Who to contact, including emergency personnel, and customer notification
• What defines a cyber incident

• Recover:
  • Backup important business information
  • Consider cyber insurance
  • Make improvements to avoid a repeat attack

Working Safely and Securely

• Pay attention to your coworkers and be vigilant of your surroundings
• Be careful when handling email attachments and hyperlinks
• Separate personal-use computers from business-use computers, mobile devices and accounts
• Be wary of connecting removable devices to your computer or network
• Only download from trusted sites
• Don’t disclose business information to anyone outside your immediate organization without double-checking that this is not a social engineering attempt
• Use strong passwords
• Conduct online business with a secure browser only.

How Centraleyes Can Help You

Centraleyes can help you dive into your first information security program and maintain continuous protection– so you can build trust with consumers, maintain solid business partnerships, and scale your policy as your company grows. 

Mapping to Other Compliance Frameworks

Some businesses may be required to comply with state and federal laws and industry-regulated mandates like HIPAA, SOX, PCI DSS, FERPA, and others. The Centraleyes platform comes with many information security and data privacy framework templates, such as SOC 2, ISO 27001, HIPAA, PCI DSS, CMMC, and others. With Centraleyes, we provide you with a starting point for your initial risk assessment so that you can build an in-house security plan customized to your changing security needs. 

Streamlined Data Collection 

Collect data with pre-loaded smart questionnaires, automated workflows, and data analysis.  Save up to 90% of time and resources by removing the manual labor of redundant data collection. Input once and apply data across frameworks with smart questionnaires and mapping so you can measure cyber resilience against various standards.

Quantify Risk

With our next-gen proprietary automated risk register, the platform loads risk scenarios while also allowing users to manually add additional risks. Map out and define your company’s unique risk scenarios. Quantify and reduce inherent and residual risk. Use in conjunction with pre-loaded risk assessments and benefit from the efficiency of managing risk and compliance in one platform.

Visual Reporting

Centraleyes builds graphic metrics that provide real-time visibility into your organization’s risk and compliance posture at the touch of a button. This feature provides excellent value as a communication facilitator for investors and non-technical board members. 

If you have questions about NIST’s publication on information security for small businesses and performing an initial risk assessment, we can help.

Contact us to get your free consultation.