How NIST CSF 2.0 Helps Small Businesses

The NIST CSF Cybersecurity Framework (CSF 2.0) has had its first update in a decade. This voluntary framework previously focused on larger businesses in specific sectors, but it’s recently been expanded to better fit organizations of all sizes. The update offers particular advantages for small businesses that may not have the resources to invest in complex cybersecurity solutions. 

Changes to the framework

NIST CSF 2.0 has adapted and expanded to become more inclusive as a response to an ever-growing and changing threat landscape.  

Many small businesses simply aren’t prepared to deal with cyber threats. 57% of small business owners feel they won’t be targeted by cyberattacks, which is a false perception that has left many vulnerable. No one is too small to avoid being a target.  In reality, 43% of cyber attacks against SMBs are carried about against companies with less than 1,000 employees. In 2020, SMBs faced 700,000 attacks, leading to nearly $3-billion in damages. 

Even following an attack, it takes half of all small businesses more than 24 hours to even become operational again, which can be devastating financially. 

To address these issues and help small businesses manage these issues NIST CSF 2.0 have made key changes to the framework, including: 

• Expanded Scope: The framework now explicitly includes organizations of all sizes and sectors, not just those in critical infrastructure. This acknowledges the growing cyber threats faced by all organizations and the need for broader adoption of cybersecurity best practices.
• Emphasis on Governance: A new “Govern” function has been introduced, emphasizing the importance of leadership and strategic decision-making in cybersecurity. This promotes integrating cybersecurity considerations into broader organizational governance frameworks and ensuring adequate resources and oversight.
• Tailored Pathways: Recognizing diverse user needs, NIST CSF 2.0 offers pre-defined pathways for specific user groups like small businesses, enterprise risk managers, and supply chain security. These pathways provide customized guidance and resources, facilitating implementation and addressing unique challenges.
• Comprehensive Guidance: The “Govern” function complements the existing functions of Identify, Protect, Detect, Respond, and Recover. This holistic approach ensures informed decision-making, effective resource allocation, and continuous improvement in cybersecurity posture.
• User-Friendly Resources: A suite of new resources includes success stories, quick-start guides, and a searchable reference catalog. These resources aim to simplify implementation, offer practical insights, and facilitate integration with existing practices.
• Enhanced Accessibility: Translations of the framework are now available in multiple languages. This promotes global adoption and fosters international collaboration in cybersecurity, enhancing overall global resilience.
• Collaboration and Feedback: NIST encourages sharing of successful implementations, lessons learned, and innovative approaches. This collaborative effort enriches the framework’s resources, fostering continuous improvement and knowledge-sharing among users.

Let’s take a look at how these changes can benefit your small business. 

Benefits For Small Businesses

Small businesses are often targeted by cybercriminals due to their perceived lack of cybersecurity defenses. NIST CSF 2.0 helps small businesses identify their most critical assets and vulnerabilities, allowing them to prioritize their limited resources on addressing the most significant risks. This focus ensures they are not overwhelmed by trying to address every potential threat and can instead focus on the areas that matter most.

First and foremost, NIST has created a special guide specifically for small businesses, which you can find here.

The purpose of the guide is to give small-to-medium sized businesses (SMB)—specifically those who have little or no cybersecurity plans in place—a jumpstart in their cybersecurity risk management strategy. The guide is also intended to assist other relatively small organizations, such as non-profits, government agencies, and schools. Importantly, it is a supplement to the NIST CSF and is not intended to replace it.

Here’s how the updated framework will assist small businesses: 

New and tailored pathways and resources

NIST CSF 2.0 recognizes the unique challenges and resource limitations of small businesses. It offers pre-defined implementation pathways, including quick-start guides, specifically designed for their needs. These simplified resources streamline adoption and address their specific cybersecurity concerns without overwhelming them with complex procedures.

Because the framework doesn’t prescribe specific controls but provides a menu of options from which businesses can choose, they can pick  the most suitable option based on their individual risk profile and resources, including their budgets. 

Prioritized risk management

CSF 2.0 helps small businesses understand what level of cybersecurity risk is acceptable to their operations. The framework helps small businesses identify and prioritize their most critical assets and vulnerabilities. This allows them to focus their limited resources on addressing the most significant risks, ensuring they are not overwhelmed by trying to address every potential threat.

The update also places increased emphasis on supply chain risk management, which is crucial for small businesses that rely on third-party vendors and partners, which will help identify and mitigate risks associated with supply chain connections.

CSF 2.0 goes on to briefly highlight the importance of cyber risk transfer via insurance for small businesses. This can provide businesses with an additional layer of protection against potential cyber threats.

Increased competitiveness and resilience

By making cybersecurity guidance accessible to organizations of all sizes, CSF 2.0 levels the playing field and helps small businesses improve their resilience against cyber threats alongside larger enterprises.

Demonstrating a commitment to cybersecurity through the implementation of NIST CSF 2.0 can give small businesses a competitive edge. Customers and partners are increasingly concerned about data security, and implementing a recognized framework shows a proactive approach to protecting sensitive information.

Following the framework helps small businesses develop a comprehensive and systematic approach to cybersecurity, going beyond simply reacting to threats. A proactive approach builds resilience against evolving cyber threats and ensures long-term business continuity.

User-friendly resources

NIST provides various user-friendly resources like success stories and a searchable catalog of references. These resources offer practical insights and real-world examples, allowing small businesses to learn from others and adapt best practices to their specific context. This makes the process of implementing or expanding cybersecurity policies much easier for small businesses with limited cybersecurity expertise. 

Adhering to NIST CSF 2.0 recommendations can help small businesses meet certain industry regulations and best practices; it’s crucial for businesses operating in sectors with specific compliance requirements or those seeking to compete for contracts with larger organizations.

Reduced risk of cyber attacks

Over 70% of small businesses will experience a cybersecurity attack at some point. 

NIST CSF 2.0 emphasizes the importance of having a plan for detecting and responding to cyber incidents. This includes having procedures for identifying suspicious activity, isolating and containing incidents, and restoring affected systems. Even if an attack occurs, having a plan helps minimize damage and ensure a faster recovery, minimizing business disruption and financial losses.

By following the NIST CSF 2.0 framework, small businesses can develop a comprehensive and systematic approach to cybersecurity. This helps them not only address their immediate needs but also build a foundation for continuous improvement and long-term resilience against evolving cyber threats.

Getting Started

Cybersecurity laws and regulations simply aren’t changing at the pace they need to for small businesses to catch up and stay safe, which is why frameworks like NIST CSF 2.0 has become critically important. NIST CSF 2.0 has made resources available to help small businesses close the gap. 

• Start by assessing your risks, your assets, and the threats you face so you can tackle the issues head-on using the framework.
• Get leadership involved. Explain the importance of cybersecurity and ensure that budget and other resources are assigned in line with your goals. 
• Use the quick-start guides and success stories specifically designed for small businesses provided by NIST. These resources offer step-by-step instructions and real-world examples, making them highly valuable for starting your implementation journey.
• Don’t try to implement everything at once. Focus on the most critical functions based on your risk assessment and resource limitations. Start with smaller, achievable goals and gradually progress towards implementing a comprehensive cybersecurity strategy.
• Adapt! Remember, NIST CSF 2.0 offers a menu of options, not a one-size-fits-all approach. Select cost-effective and practical safeguards that address your specific risks and budget constraints. Explore free or low-cost solutions where possible.

And finally, get help if you need it!  While NIST CSF 2.0 is designed to be accessible to organizations of all sizes, don’t hesitate to seek professional assistance if needed. Cybersecurity consultants can provide valuable guidance and insight that can make a world of difference, even if you have a small business and limited resources.