Forwarded from: "Lennon, Elizabeth B." <elizabeth.lennon@ (at) nist.gov>
ITL BULLETIN FOR NOVEMBER 2009
CYBERSECURITY FUNDAMENTALS FOR SMALL BUSINESS OWNERS
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce
Small businesses contribute significantly to the U.S. economy,
comprising over 95 percent of all businesses in our country, producing
about 50 percent of our Gross National Product (GNP), and creating about
50 percent of all of the new jobs. Small business owners face serious
challenges in protecting their business information and the private
information of their customers and employees. Often lacking sufficient
resources to secure their information infrastructures effectively, small
businesses are frequent targets of criminal attacks and hostile threats
The Information Technology Laboratory of the National Institute of
Standards and Technology (NIST) recently issued a new guide that tailors
basic information on cybersecurity to the specific needs of small
business owners to help them in planning for and managing secure
information systems. NIST Interagency Report (NISTIR) 7621, Small
Business Information Security: The Fundamentals, by Richard Kissel,
presents three major areas that small businesses should address to
provide security for their information, systems, and networks: essential
information security practices, highly recommended practices, and other
planning considerations. The major recommendations for each of these
three areas are summarized in the following sections of this bulletin.
The guide, which is available at
provides more details on each of these actions and advises about steps
to be taken for specific operating systems.
The best practices recommended by NIST focus on helping small businesses
to avoid the costs of not protecting systems and information, and to
protect the safety and security of information of their customers and
their employees, as well as their sensitive business information.
Ten Essential Activities to Protect Small Business Information, Systems,
NIST recommends that small business organizations take the following
actions to improve the effectiveness and security of their information
* Protect information, systems, and networks from damage by viruses,
spyware, and other malicious code.
Small businesses should install antivirus and antispyware software on
every computer used in their business operations. The antivirus and
antispyware software, which is readily available from commercial
software vendors, should be updated regularly. Many vendors offer
subscriptions to “security service” applications, which provide multiple
layers of protection, in addition to antivirus and antispyware
protection. The software can be set to automatically check for updates
and to carry out security scans at scheduled times, such as during the
night. Business organizations should obtain copies of the antivirus
software that is used by the business systems for the home systems of
those employees who work at home.
* Provide security for Internet connection.
Business computers and networks that have broadband access to the
Internet for 24 hours a day every day are exposed to continual hostile
threats. Small businesses should install and keep operational a hardware
firewall between their internal networks and the Internet. The firewall
function may be provided by a wireless access point or router installed
by the small business or by a router operated by the Internet Service
Provider (ISP) of the small business. Home systems used by employees
working at home should be protected by a hardware firewall between their
systems and the Internet. Administrative passwords and default
passwords provided with new software should be changed when the firewall
is installed, and at regular intervals thereafter.
* Install and activate software firewalls on all business systems.
A software firewall should be installed and used on every operational
computer system, and should be updated regularly. Software firewalls are
needed to supplement the protection provided by hardware firewalls. Some
operating systems include firewalls installed as part of the system.
Software firewalls are available for purchase from vendors, and
sometimes can be obtained free of cost. All systems, including
employees’ home systems, should be checked to assure that the software
firewalls are installed and operational. More detailed information on
software firewalls available for different operating systems is included
in NISTIR 7621.
* Patch all operating systems and applications.
The vendors of major operating systems generally provide patches and
updates to their products to correct discovered security problems and to
improve functionality of the software. Patches should be applied to
installed business systems regularly, and installed on all new systems
and software. Details on the installation of patches are included in
* Make backup copies of important business data and information.
Copies should be made of all data including word processing documents,
electronic spreadsheets, databases, financial files, human resources
files, accounts receivable and payable files, and other information used
in or generated by the business. This will prevent loss of data when
there are equipment failures, employee errors, or destruction of data by
malicious code. An automatic backup should be done at least once a week,
and stored on a separate hard disk on each business computer, off-line
on a form of removable media, or in online storage. A full backup of all
data should be made once a month, and stored away from the business
location. Regular backups and monthly backups, which can be made on
external Universal Serial Bus (USB) hard drives, should be tested
regularly to ensure that the data can be accessed and used
* Control physical access to business computers and network components.
Unauthorized persons should not be allowed to access or to use any
business computers, including laptops. Computers should not be available
to access by cleaning crews or by unsupervised repair personnel.
Employees working at their computers should position their displays so
that they cannot be seen by people walking by an office or by unknown
strangers who may walk into an office.
* Secure wireless access points and networks.
Small business owners who use wireless networking should set the
wireless access point so that it does not broadcast its Service Set
Identifier (SSID). When new devices are acquired, the administrative
password that was on the device when it was purchased should be changed.
Strong encryption should be used so that data being transmitted between
the businesses’ computers and the wireless access point cannot be easily
intercepted and read by electronic eavesdroppers. The current
recommended encryption is WiFi Protected Access 2 (WPA-2), which uses
the Advanced Encryption Standard (AES) for secure encryption.
* Train employees in basic security principles.
Employees should be trained to use the sensitive business information
properly and to protect the business’ and its customer’s information.
Employees should receive training on the organization’s information
security policies, including the use of computers, networks and Internet
connections, the limitations on personal use of telephones, printers,
and other business resources, and any restrictions on processing
business data at home. After receiving their training, employees should
be requested to sign a statement indicating that they understand and
will follow business policies, and that they understand the penalties
for not following the policies. Security training for employees can be
arranged through the local Small Business Development Center (SBDC),
community college, technical college, or commercial training vendors.
* Require individual accounts for each employee using business computers
and business applications.
A separate account should be established for each individual computer
user, and strong passwords should be used. Passwords should be changed
at least every three months. The employees’ individual accounts should
not have access to administrative accounts to avoid the installation and
spread of unauthorized software or malicious code.
* Limit access to data and information by employees, and limit the
authority to install software.
Access to all data and to all systems, including financial, personnel,
inventory, and manufacturing, should not be provided to any one
employee. Access to systems and data should be limited to the specific
systems and information that employees need to do their jobs. One
employee should not be allowed to both initiate and approve
transactions, such as financial transactions.
Highly Recommended Practices for Small Businesses
The following practices are also very important and should be
implemented immediately after the essential activities are put into
* Examine carefully email attachments and emails that request sensitive
Email attachments should not be opened unless the email is expected and
the sender is trusted since this is a means for distributing spyware or
malicious code. The individual who may have sent the email should be
called and asked if the mail is legitimate. If the sender’s computer has
been compromised by malicious code, the code can be installed on the
computer of the person who opens the attachments that have been sent.
* Examine carefully web links in email, instant messages, social media,
and other communications.
Connecting to links in email messages can lead to the installation of
malicious software, viruses, or key stroke logging software on the
user’s computer. These links should be avoided unless the sender is
trusted and the web link is known to be a legitimate one.
* Avoid popup windows and other hacker tricks.
Popup windows that request a response should be closed. Attackers
frequently develop popup windows to try to trick the user into
downloading and installing spyware or other malicious code. Employees
should be trained not to bring into the office any USB drives that might
be infected by hackers, and they should not plug them into the business
* Conduct online business and online banking securely.
Online business, commerce, and banking should be conducted using a
secure browser connection. This will normally be indicated by a small
lock visible in the lower right corner of the web browser window. The
web browser cache, temporary Internet files, cookies, and history
associated with online commerce or banking sessions should be erased
after the end of the sessions. This will prevent sensitive information
from being stolen by a hacker or by a malware program, if the system has
* Engage in secure personnel practices when hiring employees.
Comprehensive, nationwide background checks should be conducted before
new employees are hired, and criminal background checks should be
considered for all prospective new employees. Online background checks
are quick, relatively inexpensive, and readily available. In addition,
credit checks on prospective employees should be considered, and the
references provided by prospective employees and their former employers
should be contacted.
* Adopt secure practices for web surfing.
Users with administrative privileges should not surf the web to avoid
the installation of malicious code. A guest account with limited
privileges can be established for those employees who need web access,
such as for educational purposes.
* Limit the downloading of software from the Internet.
Software should not be downloaded from any unknown web page. Only web
pages from trusted business partners and services, such as operating
system providers, should be downloaded. Freeware or shareware from a
source on the web should be examined carefully. Though there may be no
cost, this software often does not provide technical support.
* Seek specialized expertise in information system security when it is
Sources of expertise in information security for small businesses
include Small Business Development Centers (SBDCs), Service Corps of
Retired Executives (SCORE), local Chambers of Commerce, Better Business
Bureaus, and community and technical colleges. All potential service
providers should be examined and reviewed for past performance and
* Protect sensitive information when disposing of old computers and
Small businesses should dispose of old business computers by removing
and destroying the hard disks, electronic components, and connectors.
Also old storage media that is obsolete and no longer usable, such as
CDs, floppy disks, and USB drives, should be destroyed, and paper
containing sensitive information should be shredded.
* Protect information and systems from social engineering techniques.
Social engineering is a personal or electronic attempt to obtain
unauthorized information or access to systems or sensitive areas by
attackers who manipulate people. The process is often conducted through
telephone calls. Employees should be trained to be helpful, but to be
vigilant when asked for information or special system access, and to
authenticate callers by asking for identification information. All
attempts by outsiders to obtain information or system access should be
reported to management.
In addition to the operational procedures described above, small
businesses should consider the following issues when planning and
implementing their information systems:
* Contingency and disaster recover planning.
Plans should be developed for restoring business operations that might
be interrupted by natural disasters and contingencies, such as floods,
fires, tornados, power outages, sewer backups, or water damages. Since
power outages are common, each computer and critical network component
should be connected to an Uninterruptible Power Supply (UPS). An
inventory should be made of all information used for operating the
business. The information in the inventory should be prioritized for its
importance to the business. Appendices A and B of the NIST small
business guide include worksheet templates to help small businesses
collect and evaluate this information.
* Cost-avoidance considerations in information security.
While there is a cost involved in protecting information, small
businesses must consider the costs of not protecting information. For
example, some states have enacted notification laws that require
businesses, including small businesses, to notify, in a specified
manner, all persons whose data might have been exposed in a security
breach, such as a hacker incident, malicious code incident, or an
unauthorized release of information. Appendix C of the guide contains a
worksheet that can be used by small businesses to calculate the costs of
not providing adequate protection to each data type used in the
business, from the highest priority to the lowest priority, and for
different information security incidents.
* Business policies related to information security and other topics.
Small businesses should develop and circulate written policies that
identify acceptable practices and expectations for business operations.
Some of the policies are related to human resources, and others are
concerned with permitted employee practices for using business
resources, such as telephones, computers, printers, fax machines, and
Internet access. The range of potential policies is largely determined
by the type of business and the degree of control and accountability
desired by the business owner. Legal and regulatory requirements may
also require that certain policies be put in place and enforced.
Policies for appropriate use of information, computers, and networks,
and policies for Internet security should be formulated to convey the
business management’s expectations to employees. These policies should
identify the information and other resources that are essential to the
operation of the business, and should describe how management expects
the resources to be used and protected by all employees.
These policies should be communicated clearly to all employees, and all
employees should sign a statement stating that they have read the
policies, that they will follow the policies, and that they understand
the possible penalties for violating the policies. This will help
management to hold employees accountable for violation of the business
policies. Penalties should be established for disregarding business
policies, and all penalties should be enforced fairly and consistently
for anyone who violates the policies of the business.
NIST Interagency Report (NISTIR) 7621, Small Business Information
Security: The Fundamentals, by Richard Kissel of NIST, is available on
NIST’s web page
For information about other NIST security-related publications,
including information about the use of firewalls, media sanitization,
and encryption, see NIST’s web page
The term Small Enterprise (or Small Organization) is sometimes used for
small businesses. A small enterprise or organization may also be a
nonprofit organization. The size of a small business varies by type of
business, but typically it is a business or organization with up to 500
employees (according to the U.S. Small Business Administration).
U.S. Small Business Administration
White House Blog (information about cybersecurity awareness)
Federal Trade Commission (for information on identity theft)
Any mention of commercial products or reference to commercial
organizations is for information only; it does not imply recommendation
or endorsement by NIST nor does it imply that the products mentioned are
necessarily the best available for the purpose.
Received on Mon Nov 30 01:44:15 2009