Healthcare Information Security

Cybersecurity News

NIST Aims to Help Small Business Cybersecurity Measures Improve

A recent NIST guide is designed to assist small businesses improve their cybersecurity measures and understand that they may still be targets.

By Elizabeth Snell

While some small businesses may assume that they are not primary targets for cyber criminals, the National Institute of Standards and Technology (NIST) wants to ensure that those organizations are able to implement the necessary cybersecurity measures to keep data safe.

NIST helps small businesses with guide on cybersecurity measures

NIST recently released Small Business Information Security: The Fundamentals, a guide meant to help smaller companies that may not be as well-versed in the latest cybersecurity tactics and show them basic steps to protect against evolving threats.

“Businesses of all sizes face potential risks when operating online and therefore need to consider their cybersecurity,” explained lead author Pat Toth, who also leads NIST outreach efforts to small businesses. “Small businesses may even be seen as easy targets to get into bigger businesses through the supply chain or payment portals.”

The guide is really meant to help the companies that believe cybersecurity is too expensive or too difficult, Toth said in a statement. Smaller organizations may in fact have more to lose than larger ones because cybersecurity threats could be more expensive and harmful to their longevity, she said.

NIST used its own Framework for Improving Critical Infrastructure Cybersecurity as a template, as it has strong processes and tools that “provide key standards and best practices developed over decades by the federal government and industry.”

“Developing or improving your information security program will also make it easier for your organization to innovate – taking advantage of new technologies that can lower costs while delivering better services to your customers,” the new guide explains. “It is not possible for any business to be completely secure. Nevertheless, it is possible—and reasonable—to implement a program that balances security with the needs and capabilities of your business.”

The guide noted that monetary gain is not always the only reason that cyber criminals may attack a business.

“Some may attack your business out of revenge (e.g. for firing them or somebody they know), or for the thrill of causing havoc,” the guide states. “Similarly, not all events that affect the confidentiality, availability, or integrity of your information (called “information security events”) are caused by criminals. Environmental events such as fires or floods, for example, can severely damage computer systems.”

Along with damage to information or information systems, businesses could also experience regulatory fines and penalties or legal fees, decreased productivity, or a loss of critical information that is needed to run the business.

“A strong information security program can help your organization gain and retain customers, employees, and business partners,” according to the guide. “Customers have an expectation that their sensitive information will be protected from theft, disclosure, or misuse.”

Overall, the guide discusses the following key areas for small businesses:

  • Describes how an information security program can be implemented
  • Discusses key actions small businesses can take to develop or improve their information security and cybersecurity
  • Identifies key practices directed towards users that organizations can implement immediately and that will protect their system and information

Toth added that organizations should also backup their data through a cloud-service provider or a removable hard drive. The backup should be kept away from the main office, so the information will be safe should something, such as a fire, take place.

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks