Bringing business to the internet is a dual-edged sword for most organizations. While the promise of greater exposure and customer visibility provides constant allure to organizations, there are security perils that can counteract the promise of e-commerce.
Additionally, there are very few and disparate resources that provide a consolidated learning and awareness path for smaller organizations to stay secure when online. As a result, an industry of non-regulated, objective, cybersecurity awareness training has emerged.
These trainings, while providing some measure of confidence to an organization that they are more prepared for the wilds of the internet, also are exceedingly incongruous in their various approaches to arming businesses for the threats they may experience online. Therefore, it likely comes as a relief for many organizations to learn of the recent signing of the NIST Small Business Cybersecurity Act in the United States. This act will help organizations gain access to consolidated, measured and approved training mechanisms that only seemed attainable by larger, better-resourced organizations until recently.
Through signing the NIST Small Business Cybersecurity Act, Congress has ensured that small and mid-sized businesses will experience a higher baseline level of safety online, and perhaps established a frame of reference that can be useful to other countries, as well.
Before this legislation, many organizations were susceptible to multiple levels of online attack and exploitation without awareness of the true impact that these attacks could have on their organizations.
In fact, it is often through these small organizations in which large-scale attacks occur. For example, the 2013 Target attack did not take place through a direct attack on Target by the online miscreants. Instead, the hackers targeted one of the smaller businesses with which Target contracted and capitalized on the compromised system to gain access to the greater Target network.
After the attack, Target leveraged much of its resources to ensure that the attack would not happen again. These resources included extensive training for Target professionals and workers. However, without careful monitoring of the organizations with which they affiliate, Target and other organizations still accept legitimate risk, as there is no consolidated, guiding directive that promotes small business cybersecurity training.
While it is disconcerting to think that there are many businesses at risk from cyber-attack or exploitation, it should be noted that there are certain options currently available for these companies to leverage for their benefit.
Many companies, such as KnowBe4, provide training for businesses of any size, ensuring that an organization with the desire and funding for cybersecurity awareness training can obtain it.
However, there are many different organizations and businesses that offer a wide variety of training types and methods – few of which are coordinated or follow a specific policy or guidance.
The NIST Small Business Cybersecurity Act attempts to stabilize this discombobulation in the same fashion that the NIST Cybersecurity Framework did for the field of cybersecurity overall. Specifically, the act requires the director of NIST to ensure that resources are disseminated which “help small business concerns identify, assess, manage and reduce their cybersecurity risks.”
Importantly, these resources will be generally applicable, include case studies that demonstrate practical application, are technology-neutral, and promote basic cybersecurity controls that can be performed in any workplace, to include third-party stakeholder relationships.
Providing these guiding resources will ensure that other training bodies will level-set all other online training organizations. Training bodies will now have a point of reference from which to work, and small businesses will have a tome of truth to reach for when training is required.
Given the passing of this legislation, all businesses, no matter their size, will have a fighting chance online, and the fear of potential attack or exploitation may be, at least somewhat, assuaged.