This week’s blog post highlighting Cybersecurity Awareness Month is from NIST’s Marian Merritt, Deputy Director and Lead for Industry Engagement for the National Initiative for Cybersecurity Education (NICE). In this post, Marian discusses ways to minimize cybersecurity risks for small businesses.
Like many in the cybersecurity industry, my career path to my current role was anything but a straight line. I began in the marketing field, working in consumer-packaged goods. It was that experience translating consumer needs to product that led me to the technology field. I started as a product manager for the leading antivirus software publisher and spent nearly 18 years in a variety of roles of increasing responsibility. Some of my time was spent as a public educator about online safety and cybersecurity and I often spoke to small business owners in this capacity about strategies for protecting their organizations from cybercrime.
The last role I had there and probably the most meaningful one, was in Corporate Philanthropy where we investigated and launched a program to train underserved young adults to enter into cybersecurity work roles. During the research phase of that project, I met with people throughout industry and government to learn about job requirements and that was my introduction to NIST.
My current work role includes participating on a small team led by Nelson Hastings to support our Small Business community with relevant and easy-to-understand guidance on a variety of cybersecurity topics. We also share materials on the website from our partners in other Federal agencies and non-profits.
The vast majority of small businesses are very small with fewer than 10 employees. Consider a physician in a small practice or a dry cleaner shop. Small business owners and employees are often surprised to learn that they represent a particularly ripe target to cybercriminals. Or that their connections to their larger business partners may also make them attractive. For a small business to become “cyber smart” begins with them shedding notions of being too small to be at risk. Every connected device is at potential for some level of cybersecurity risk. With the most common threats like ransomware that can spread through email, the targets might even be at random because their email was scraped up in some big database. The size of a business is never going to be a form of protection.
Recognizing this fact can also cause people to freeze up – it feels like an overwhelming proposition to secure every device or every system and educate all your employees, but it doesn’t have to be. A small business should take the steps outlined in the NIST Cybersecurity Framework and we have a quick start guide to break down those activities in a way we think any small business can successfully implement. Developing a small business’ cybersecurity plan could be a great activity for a college student and I would encourage companies to consider bringing in a cybersecurity student as an intern to help get a program in place quickly. October is Cyber Security Awareness Month and a great time to get started by sharing materials with employees like the NIST telework guide.
100% it’s the people. NIST employees work on fascinating projects and are all highly-intelligent, curious, friendly and collaborative. I think the range of work we engage in at NIST is remarkable and I never get tired of sharing with friends some of the “did you knows” I’ve picked up while working here. There’s a reason that so many NIST colleagues have been here 10, 20, 30 years or more. We NISTers enjoy a work environment suited for life-long learning and sharing of ideas.
I am one of the few employees that regularly worked remotely prior to the pandemic—which is a special status I don’t take for granted.