They say that the bigger they are, the harder they fall but when it comes to cyber-attacks, small businesses can suffer far more than enterprises. Indeed, the annual Report from IBM Security finds that the average cost of a data breach for businesses with fewer than 500 employees reached $3.31 million in 2023 - representing an annual increase of 13.4 per cent.

With such a staggering total, a small business may not even survive just one incident.

Fortunately, governments recognise the vital role that small businesses play in maintaining a dynamic and resilient economy and are making dedicated efforts to help SMBs tackle this challenge. Both the UK and the US have developed security frameworks that provide recommendations on practical, cost-effective, and easy-to-implement measures to thwart attackers and strengthen cyber resilience.

Cyber Essentials Framework

Cyber Essentials is designed to help organisations protect themselves against common cyber threats, focusing on five critical technical controls that, when implemented alongside using best practices, can prevent 80 percent of the cyber-attacks typically encountered by small businesses. These five measures are firewalls, secure configuration, user access control, malware protection, and patch management.

The guidance is written and presented in a way that doesn’t require advanced IT skills. Instead, a wizard walks business owners through a series of simple questions. Then it produces a readiness toolkit based on their specific answers. This simple method ensures that even small businesses with limited technical expertise can effectively enhance their cybersecurity posture.

Cyber Essentials also offers two certification options for small businesses. The self-assessment option provides small business owners with peace of mind that they have implemented the Cyber Essentials technical controls sufficiently to stop most cyber-attacks.

The other option is Cyber Essentials Plus, which supplements the Essentials program with independent testing and verification by an external certification body. This process includes factors such as vulnerability scanning and penetration testing.

NIST CSF 2.0 Small Business

Meanwhile, the United States government has assisted in the development of a Small Business Quick-Start Guide for the NIST Cybersecurity Framework (CSF). Designed to help SMBs kick-start their cybersecurity risk management strategy, this guide specifically addresses the resource limitations and other challenges that smaller organisations face when it comes to cybersecurity.

The quick-start guide is organised around the six high-level functions in NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond and Recover. Within each function, it hones in on the key measures that SMBs should prioritise, such as:

* Inventorying and classifying business data
* Changing vendor’s default passwords
* Monitoring the IT environment for suspicious activity

* Assessing the integrity of backup data and other assets before using them for recovery
* Establishing an incident response plan

While the NIST CSF quick-start guide is slightly more involved than Cyber Essentials, both resources help SMBs prioritise their limited resources on addressing the most significant risks, and they both provide that guidance in an accessible format that SMBs can understand without help from costly cybersecurity experts.

The Importance of Doing Something

Every organisation, even the smallest one, has a duty of care to implement reasonable security measures to protect against the most common cyber threats. While there is no way to prevent criminals from launching attacks, there are effective strategies that any business can adopt to significantly reduce the likelihood of suffering a devastating security incident.

Both Cyber Essentials and the NIST CSF provide SMBs with a solid foundation for cyber resilience. They are readily available, reputable resources that help make cybersecurity structured, accessible and effective for today’s small businesses. Adopting either framework offers several benefits:

* Enhanced credibility — While neither Cyber Essentials nor the NIST CSF is mandatory for most organisations, adopting either of them demonstrates a serious commitment to cybersecurity that can enhance trust with customers, partners and investors. 

* Eligibility for federal contracts — Cyber Essentials certification can open doors to UK government contracts involving sensitive information or technical services.

* Regulatory alignment — These frameworks support compliance with a variety of industry standards and legal mandates such as GDPR, though they are not comprehensive solutions.

* Reduced insurance premiums— Some insurance companies offer discounts to businesses that demonstrate strong cybersecurity practices or can prove certification.

* Competitive edge — Prioritising cybersecurity can differentiate your business, especially in the B2B sector, where security weaknesses in the supply chain can be a deal breaker.

Cybersecurity is no longer a concern exclusive to large corporations; it is a fundamental part of running any business, regardless of size. While SMBs may not have the same budgets, resources and deep IT expertise as their corporate counterparts, there are proven, cost-effective measures they can take to significantly enhance their cybersecurity and cyber resilience.

Frameworks such as Cyber Essentials and the NIST CSF 2.0 Small Business Quick-Start Guide provide a great starting point that any business can build on.

Ilia Sotnikov Security Strategist Netwrix