Cybersecurity for small business: Understanding the NIST Cybersecurity Framework


Andrew Smith, Director, FTC Bureau of Consumer Protection

The FTC hosted roundtables across the country asking small business owners how we can help you address the challenges of cybersecurity. Based on your feedback, we designed to-the-point tips now available at Last week we kicked off a 12-part every-Friday Business Blog series with cybersecurity basics. Today’s topic: what you need to know about the NIST Cybersecurity Framework.

Understanding the NIST Cybersecurity FrameworkOne thing business owners told us at those roundtables was the need for consistent advice from the different federal agencies with expertise in data security and cybersecurity. Message received. That’s why we worked with NIST – the National Institute of Standards and Technology at the U.S. Department of Commerce – to create a new factsheet for small businesses about NIST’s Cybersecurity Framework. The Framework helps businesses of all sizes better understand, manage, and reduce the cybersecurity risks to their networks and data. The Framework is voluntary, but it gives businesses an outline of best practices to help you decide where to focus your efforts. Here’s a summary of how it breaks the task down into five key areas.


List all equipment, software, and data you use – laptops, smartphones, tablets, point-of-sale devices, etc. Create and share a company cybersecurity policy that spells out the responsibilities of employees, vendors, and anyone else with access to sensitive information. Think through the steps to take to protect against an attack and limit the damage if one occurs.


The Framework includes some practical “to dos” for protecting your business:

  • Control who logs on to your network and uses your computers and other devices.
  • Use security software. Update it regularly. If possible, automate those updates.
  • Encrypt sensitive data at rest and in transit.
  • Back up data regularly.
  • Have a policy in place for securely disposing of files and devices you no longer have a business need to keep.
  • Train employees in cybersecurity, emphasizing the critical role every member of the team plays.


Who’s doing what on your devices and networks? Monitor your computers for unauthorized access, devices (like USB drives), and software. Investigate any unusual activities on your network or by your staff.


Hope for the best? Yes, but plan for how you’ll respond if your business is the target of a cyber attack. Consider how you’ll notify customers and others whose data may be at risk, keep business operations up and running, report the attack to law enforcement and other authorities, and investigate and contain the attack. While the episode is still fresh in your mind, update your cybersecurity policies to reflect lessons learned and test your plan periodically. Of course, cyber crooks aren’t the only threat your network faces. Build into your plan contingencies for weather emergencies or other unexpected events that may put data at risk.


After an attack, restore affected equipment and parts of your network. Keep employees and customers informed about the steps you’re taking to recover.

Learn more about NIST’s Cybersecurity Framework and visit their Small Business Corner. Looking for a down-to-business resource for your employees? Download the FTC’s factsheet on the NIST Framework.

Next week: How cybersecurity begins with strong physical security