By Todd O’Boyle
On September 28, The U.S. Senate passed the MAIN STREET Cybersecurity Act, which will require the National Institute of Standards and Technology (NIST) to focus more of its resources on cybersecurity for small businesses by “disseminating clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.”
Right now, NIST’s cybersecurity programs are focused on large, enterprise-size companies. The major impact that small businesses are going to see from this Act is that more of the government cybersecurity programs and standards will be specifically developed for them. That’s good news for small businesses as 60% of targeted cyberattacks are aimed at them and half of them go out of business within six months of a cyberattack, according to Sec.gov.
MAIN Street Act cybersecurity resources we anticipate from NIST
The main requirement in the Act is that NIST will provide resources to promote awareness of simple, basic controls; a workplace cybersecurity culture; and third-party stakeholder relationships.
Small businesses are also likely to see many of the resources this Act provides focus on security standards. These guides will help small business owners set up and operate their information technology (IT) solutions in a safe manner. As a start, I’d anticipate that NIST will develop videos and one-pagers on phishing, basic IT hygiene, and cyber incident response.
Given the large adoption of managed service providers (MSPs) across small business, you may start to see MSPs adopt these standards and advice as a measure of their service. We feel this will be one of the more effective channels for government cybersecurity advice.
Over time, I think you’ll see programs to work with software vendors to help make small businesses more secure. This is something NIST and the National Security Agency (NSA) have done for some time and I think you’ll see this program expand to focus more on small and mid-sized businesses (SMBs).
Small business cybersecurity protections to enact now
There’s nothing in the Act that requires compliance with any specific standards. Unless you’re doing work with the defense department where compliance with NIST 800-171 is mandatory per defense acquisition regulations, the recommendations in the Act are voluntary. If your company is planning on taking the initiative to become more secure even before the Act becomes law, there are recommendations that we make to all our small business customers to mount a more effective defense against today’s advanced cyberattacks:
Use cloud apps, office, and email services: Cloud-based applications contain modern security features such as two factor authentication (see below for why this is important). Another exciting feature we’re seeing built into many apps is monitoring from where and when an account is used. Once you teach users to know how to spot irregular activity, this is one of the best indicators that an attacker has gotten in.
Second, ransomware hasn’t found its way into cloud-based apps yet. If you are using a Software-as-a- Service (SaaS) application, your data never makes it anywhere ransomware can reach it. That’s winning! Beware when mounting file sharing services as a network drive as ransomware can find and encrypt that.
Last, cloud-based services like Google’s G Suite and Microsoft’s Office365 have built some interesting phishing and spam protection features into their platforms. Based upon some clever algorithms and crowd-sourced data, these apps are able to spot and visually identify suspicious emails so your staff think twice before clicking. We expect the technology behind this to get better over the next few years.
Turn on two-factor authentication: Passwords are the new battleground on the Internet. They are being stolen and reused at unprecedented rates. Two-factor authentication makes these passwords less useful once they are stolen.
Two-factor authentication is a security measure in which you set up another way to log into a device besides entering a password. Typically, a user has to enter a code that the app texts via Short Message Service (SMS) or the phone app, making a stolen password worthless.
Cloud-based services like Google’s G Suite and Microsoft’s Office365 support two-factor authentication that is simple to put in place. Many banks and business applications, such as those offered by Quicken and Salesforce, also offer it.
We recommend you enforce two-factor authentication for all of your employees on critical systems. Make sure you train your people and plan for a little extra support from your help desk. People will get stuck and need a little push from you and your team to get them safe.
Educate employees about how to spot phishing emails: A survey by Nationwide found that 20% of small business owners have fallen victim to a phishing attack. That’s one in five small businesses. Your employees should be properly trained about how to spot phishing emails so they don’t click on them and be instructed to forward suspicious emails to the IT and security team.
Even with the best user education programs, sometimes your users will click. Maybe the phish was very compelling or didn’t have any “tells” that it was a phish. In this case, you will need phishing protection. These solutions monitor for your users clicking on phishing e-mails and prevent attackers from being able to carry out their nefarious mission.
Consider a phishing protection solution that provides ongoing user education training via a video or other method at the point the user clicks on a phishing link. That way, you can reinforce your training program the moment a user makes a mistake. Having even just one person reporting a potential phishing email, protects your whole team. You can find additional tips on phishing education in our blog User Training: A Low-Tech Solution to Phishing.
Small businesses will get more secure
For small businesses to adopt any type of cybersecurity resources, they need to be simple to use and have a clear path to adoption. Cyber threats aren’t going away; in fact, we expect them to continue to hit small businesses where they hurt, threatening their very livelihood. The MAIN STREET Cybersecurity Act of 2017 will encourage small businesses to take a fresh look at the ways they can better protect themselves and then take the steps they need to put the proper safeguards in place.
Todd O’Boyle is CTO and a co-founder at Strongarm, a provider of simple, automated and affordable security for small and mid-sized businesses. Todd spent 15 years at The MITRE Corporation, providing technical support to the U.S. Department of Defense and the Intelligence Community. He also served as principal investigator for a project developing methods to improve how defenders respond to cyberattackers. Got any feedback for me? Reach out to todd@strongarm.io.
