Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Taking Measure

Just a Standard Blog

Small-Business Cybersecurity is Twice as Nice as Pumpkin Spice

By: Pat Toth
pumpkin spice latte
Credit: ©juliasudnitsaya/

I think we’ve taken this pumpkin spice thing too far. Don’t get me wrong, I love fall. That first crisp evening when you need to put on a sweater, the crunch of leaves under your feet, homecoming football games, but pumpkin spice? It’s obvious that the pumpkin spice council’s marketing team has done an outstanding job because it’s in everything now: cookies, chocolate candy, ice cream, oatmeal, pancakes, marshmallows, and now even in a special “limited edition” of my favorite breakfast cereal.

Enough! I’m calling a timeout on pumpkin spice.

Maybe I find pumpkin spice season distasteful because it has eclipsed a less well known but much more important annual October event: National Cybersecurity Awareness Month.

While many of you may not anticipate National Cybersecurity Awareness Month with the same relish as the arrival of pumpkin spice, for me, it’s a time for renewed hope and celebration. Like Linus sitting in the pumpkin patch waiting for the arrival of the Great Pumpkin, each year I wonder, “Will this be the year that small businesses truly recognize the importance of cybersecurity? Will they act to protect their business information and assets?”

Many larger companies in the U.S. have dedicated resources—including people, technology and budgets—to protect against cybersecurity threats. As a result, they have become much more difficult targets for malicious attacks from hackers and cybercriminals. Consequently, hackers and cybercriminals are now successfully focusing more of their unwanted attention on small companies, including manufacturers.

For example, many cybercriminals view smaller businesses as being less secure and more vulnerable to attacks such as ransomware. Your business may have assets that can be valuable to a criminal; your company’s computers may be compromised and used to launch an attack on someone else, e.g., a botnet, or your business may provide access to more high-profile targets through your products, services or role in a supply chain. This is of concern to suppliers in the Department of Defense supply chain, as their systems have to be in compliance with NIST SP 800-171 by Dec. 31, 2017.

It is important to note that criminals aren’t always looking to gain from their attacks. Some may attack your business for revenge, e.g., for firing them or somebody they know, or simply for the thrill of wreaking havoc. Similarly, not all cybersecurity events are caused by criminals. Natural events such as fires, floods or hurricanes can also severely damage IT systems. We have all seen the effects of the recent hurricanes in Texas, Florida and Puerto Rico. Would your business be able to recover from a similar storm?

The overall impact of a cybersecurity incident could include:

  • damage to information or information systems;
  • regulatory fines and penalties/legal fees;
  • decreased productivity;
  • loss of information critical to running your business;
  • damage to your reputation or loss of consumer confidence;
  • damage to your credit and inability to get loans from banks; or
  • loss of business income.

Unfortunately, small manufacturers often have more to lose simply because a cybersecurity event—a hacker, natural disaster or business resource loss—can be costly enough to drive them out of business altogether. Small businesses are often less prepared to handle these events than larger businesses, but because they generally have less complex operational needs, there are many steps a small business can take to protect itself.

National Cybersecurity Awareness Month can help you learn how to protect your business. While cybersecurity is continually in the news—hardly a day goes by without some breach or cyber event—we rarely hear about ways to prevent these incidents from occurring. THIS IS THE TIME to spread good security practices within your business. Awareness, training and education are fundamental tools for small businesses to use to protect their company information, assets, IT systems and reputation.

Cybersecurity in a small business doesn’t necessarily mean hiring an expert on staff or as a consultant. The NIST Hollings Manufacturing Extension Partnership has cybersecurity resources for manufacturers as does the NIST Small Business Center.

Some basic cybersecurity topics that you may want to consider for awareness training for your employees include:

  • recognizing phishing attacks;
  • understanding the risks associated with the use of social media;
  • keeping your systems clean by installing patches and using the latest versions of software; and
  • avoiding public Wi-Fi when using mobile devices such as smartphones or tablets.

Having your employees understand these cybersecurity issues and how to address them in the workplace could potentially save your business. Your employees are your first line of defense in protecting your business against cyber-attacks.

October is a good time to enjoy a pumpkin spice latte—or cereal—if that’s your thing. But I hope you take at least a few moments to teach your employees to be more aware of the cybersecurity risks, threats and vulnerabilities to your small business. After all, ‘tis the season for your employees to learn how they can help prevent a cyber incident in the workplace.

And give me back my cereal!

About the author

Pat Toth

Pat Toth is the Cybersecurity Program Manager at the NIST Hollings Manufacturing Extension Partnership (MEP). During her 26 years at NIST, Pat has worked on numerous documents and projects including...

Related posts


Self Hackable encryption libraries in hardware ROM should be the only encryption available on your system. Then if you get ransom ware you can just unhack yourself.

To truly address the cybersecurity issue, we must include the behavioral sciences in any cybersecurity program. Please think about this. The cyber hacker is a human and not a robot. The hacker is using a virtual instrument, such as a malicious code, spam, etc. to attack the user’s endpoint device. Such virtual instruments obey the command and control of the hacker. Why then should we neglect the human component when we talk about cybersecurity? This issue is precisely what the National Academy of Sciences (NAS) recent report echoes. The current technical and scientific cybersecurity research landscapes are missing the behavioral sciences component! Please see the NAS report -- Foundational Cybersecurity Research Improving Science Engineering, and Institutions – for details. The URL, for the report, is:…

Dr. Kofi Nyamekye
President & CEO, Integrated Activity-Based Simulation Research, Inc.

Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.