May 29, 2020

May 28, 2020

Subscribe to Latest Legal News and Analysis

May 27, 2020

Subscribe to Latest Legal News and Analysis

May 26, 2020

Subscribe to Latest Legal News and Analysis

National Institute of Standards and Technology Releases Cybersecurity Guide for Small Businesses

The National Institute of Standards and Technology (NIST) released guidance today designed to help small businesses improve their cybersecurity preparedness. The document, Small Business Information Security: The Fundamentals, is based on NIST’s 2014 Framework for Improving Critical Infrastructure Cybersecurity, a widely used cybersecurity framework (Cybersecurity Framework). 

According to NIST’s press release, the guidance is “written for small-business owners not experienced in cybersecurity and explains the basic steps they can take to better protect their information systems.” The guidance notes that small businesses are often viewed as soft targets by cyber criminals because they have fewer resources to devote to information security than larger organizations.  For purposes of this guidance, NIST defines small businesses as for-profit, non-profit, and similar organizations with up to 500 employees; however, this guidance provides an overview of information security and cybersecurity along with key recommendations that are generally applicable to all businesses regardless of size.

The guidance is divided into four sections and appendices.  The first section provides background on information security and cybersecurity and provides context for the additional sections.  The second section provides recommendations on how to identify, understand, and manage certain cyber-related risks and outlines when it is appropriate to seek outside assistance.  The third section sets forth programmatic steps that small businesses can take to develop or improve their cybersecurity maturity using the Cybersecurity Framework’s broad categories: Identify, Protect, Detect, Respond, and Recover.

The fourth section provides a list of “recommended practices” that small businesses can immediately implement to better protect their systems and information.  These practices include the following:

  • Pay attention to the people you work with and around.

  • Be careful of email attachments and web links.

  • Use separate personal and business computers, mobile devices, and accounts.

  • Do not connect personal or untrusted storage devices or hardware to your computer, mobile device, or network.

  • Be careful downloading software.

  • Do not give out personal or business information.

  • Watch for harmful pop-ups.

  • Use strong passwords.

  • Conduct online business more securely.

Lastly, the appendices contain helpful information security resources for small businesses, including risk analysis worksheets and sample information security policy and procedure statements.

© 2020 Covington & Burling LLP


About this Author

David Bender, data privacy and cybersecurity attorney, Covington Burling

David Bender is an associate in the firm’s Washington office. He is a member of the Data Privacy and Cybersecurity and Communications and Media practice groups. Mr. Bender advises clients on a broad range of privacy and data security issues regarding the collection, use, and disclosure of information online.

202 662 5822
Ashden Fein, Litigation attorney, Covington Burling

Ashden Fein advises clients on cybersecurity and national security matters, including government and internal investigations, regulatory, and complex litigation matters.

For cybersecurity matters, Mr. Fein specifically counsels clients on preparing for and responding to cyber-based attacks, assessing their security controls and practices for the protection of data and systems, developing and implementing cybersecurity programs, and complying with federal and state regulatory requirements. Mr. Fein also has been the lead investigator and crisis manager for multiple complex cyber and data security incidents, including data security breach matters involving millions of affected consumers, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.