Featured Video
This Week in Quality Digest Live
Risk Management Features
Scott Shackelford
An old idea, updated for the 21st century
Jason Furness
Managers, heed these dangers while en route to a Black Belt
Fred Schenkelberg
Can I use it instead of MTBF?
Jeremy Straub
AI scientists should be free from concern that some AIs might be banned
Vanta X-ray fluorescence (XRF) analyzer provides fast, nondestructive elemental analysis

More Features

Risk Management News
Strategic investment positions EtQ to accelerate innovation efforts and growth strategy
If you want to understand a system, try and change it
Mathis will provide business development for HACCP certification in the Americas
Explains basic steps businesses can take to better protect their information systems
ISO 20400 will help companies achieve sustainability goals, improve supplier relations
Regulations will create new opportunities for business and government to use drones
Three new ISO standards support monitoring of exposure in the workplace

More News

Pat Toth

Risk Management

Ignoring Cybersecurity Is Risky Business

Take it from a caution giver

Published: Tuesday, January 3, 2017 - 08:57

They say opposites attract. Although my husband and I have many important things in common, we are complete opposites in one area. He’s a “risk taker,” and I’m... well, not so much. Rather than being labeled as “risk averse,” I prefer the term “caution giver.”

I’m a federal employee. I come from a long line of public servants. I bet that my ancestors probably worked in the service of the king or queen, or at least the local earl or baron, before they came to the United States. My husband is different story. He’s a small-business owner. Whereas I tend to worry and ask a lot of what-if questions, he likes the challenge of being in command and building his business.

In my role leading NIST’s Cybersecurity for Small Business Outreach, I’ve met many small-business owners, and most have similar personalities to my husband. They have incredible drive and an unrelenting spirit. Small-business owners see opportunities where caution givers like me only see risk.

It might be in your nature to be a risk taker, but cybersecurity is one area where you need to listen to the caution givers. Many small businesses might not have the resources to employ an entire IT security team, and that makes them especially vulnerable to attack. Not to fret, though (leave that up to me); there are some simple things you can do now to help manage cybersecurity risks to your small business.

Train your employees

Employees at every level must know the company policy on computer use. Review the policy regularly for updates and make certain it is accurate, clearly understood, and posted for all to see.

Are the employees allowed to use social media on their work computers? Social media is a great way to interact with your customers and grow your business, but hackers can also use it to do social engineering, potentially fooling your employees into giving away information that they could use to hurt your business’s reputation or even steal from you.

Are employees downloading and using applications on their work computers? Free games may be fun to play during a lunch break, but what else is going on? Hackers can gain access to computer systems via games and “free” applications you find online. Allow employees to install applications only when they need that application to do their work and it is from a trusted source.

How do employees handle information that may be sensitive to the business, such as tax or payroll information? Enforce a rule to never send sensitive information through unencrypted email.

Aside from these proactive steps, train employees on what to do when a security incident occurs.

Stay up to date

Even the best software isn’t perfect, and hackers are constantly looking for ways to exploit those imperfections. Thankfully software designers and security researchers constantly work to correct imperfections and plug the holes in their products; be sure to update your software regularly.

Install and activate software and hardware firewalls

Firewalls can block unwanted traffic such as malicious emails or browsing to “blocked” websites. Install a hardware firewall between your business’s internal network and the internet.

Secure wireless access point and networks

If your business uses wireless networking, make sure that you change the administrative password that was on the device when you bought it. Set the wireless access point so that it does not broadcast its service set identifier (SSID).

Only access wireless networks that you trust and are certain of their security. That free Wi-Fi in the coffee shop may be convenient, but is it secure?

Require individual user accounts and strong passwords

Each user should have an individual account and password. Do not share passwords with anyone including other employees. Administrative privileges should be limited to a few employees. Your employees should have access only to those systems that they need to do their jobs. Limiting administrative privileges will prevent them from installing unauthorized software. Require your employees to use strong passwords and train them on how to create a strong password.

Set up web and email filters

When you are selecting an email provider make sure they offer filtering for inappropriate messages. Use web browsers that allow web filtering to keep your employees from accessing malware-infected websites.

Make full backups of important business data

Do a full, encrypted backup of every computer and mobile device at least once a month. Do this shortly after a complete virus scan. Store your backups away from the office in a protected place, so that if something happens at the office, your data are safe.

Be cyber-aware

If you are a small-business owner, you may be a risk taker, too. Take it from a caution giver: There are some risks you shouldn’t take—no matter what. Being careless with cybersecurity is one of them. If you’re looking for a more detailed cybersecurity model, check out the NIST Cybersecurity Framework and the report: “Small Business Information Security: The Fundamentals.”

And be careful out there!

First published on NIST's Taking Measure blog.


About The Author

Pat Toth’s picture

Pat Toth

Pat Toth is a supervisory computer scientist in the Applied Cybersecurity Division at NIST, where she serves as the Small Business Outreach Lead. She is currently on a detail assignment to the NIST Manufacturing Extension Partnership (MEP) providing cybersecurity guidance to small manufacturers.