Small Business, Big Risk: Decoding NIST's Strategy for Mid-Sized Business Security

As we head into the midpoint of the decade, “Ransomware Attacks Are On the Rise” headlines are approaching the level of self-evidence usually reserved for reporting that the sky is blue. The general trend of attack keeps creeping up and to the right, and several signs suggest the pendulum may be swinging further towards small- and mid-sized businesses as a priority target. Fortunately, an introduction to the National Institute of Standards and Technology, or NIST’s risk management framework speaking directly to the challenges facing small businesses is providing practical, methodical strategies these businesses can use to stay safer, regardless of their size. Let’s take a look at why ransomware actors are shifting back from enterprises to smaller organizations, and some of the top takeaways from NIST’s new guidance.

Going Solo, Robbing Local

SMBs have always been a significant segment in ransomware victims. But their relative percentage of attacks declined for several years starting in 2020 during the widespread shift to remote work, as increasingly sophisticated ransomware gangs went after highly-defended, highly-lucrative enterprise targets, especially in industries like manufacturing and healthcare. These “big fish” require a high level of coordination and investment by attackers – but the opportunity for profit dwarfed the sums small businesses could pay. Ransomware attacks continued to slowly rise, but at the high end of the market these attacks went from a “shotgun blast” to “surgical strike” approach. This trend can partly be explained by double extortion ransoms.

See, ransomware attacks as a percentage of total breaches has technically slightly declined from last year in absolute numbers, but this is only because of the rise of double extortion attacks. (Side note: my love of portmanteaus demands that I inform you Verizon’s Data Breach Incident Report (DBIR) team has nicknamed these “ranstortion” attacks.) In these cases, stolen data is both encrypted and exfiltrated, so once the victim pays up to access their data they’re hit with a second demand, under threat of having sensitive data (like patient data and company secrets) leaked. 

That dip seems to have reversed, with businesses under 1,000 employees back up to nearly 80% of all targets by the first half of 2023, a trend that has continued in the year since. Why the shift back? First, as police crack down on the increasingly ambitious organized gangs, attackers are scattering and striking out on their own. Second, affordable ransomware-as-a-service toolsets are streamlining the attack chain to fit nearly any skill level, while allowing a great deal of automation to launch a high volume of attacks. These solo operators don’t have the resources to go after the same enterprise targets as the big gangs, instead aiming at businesses that have smaller payouts but also smaller security budgets. Smaller payouts also aren’t a problem when the spoils all go to one person, after all!

So with a whole new generation of skiddies on the loose, what’s an IT admin to do?

Help from NIST: The Risk Management Framework for Small Enterprise

Many of the most commonly-recommended security services on the market today are out-of-reach for businesses without enterprise security budgets. NIST recognized the need for a structured, systematic approach to risk management for these smaller organizations, who may not have the dedicated security roles typically tasked with handling long lists of best practices. Towards this end, they just published SP 1314, a quick start guide to its more extensive Risk Management Framework. The full RMF page has a host of helpful resources including introductory training courses, but its extensive resources can be a bit of a daunting undertaking for already-overwhelmed admins. This makes the nine pages of tips in the new guide (plus a resource page with links to more info) a much more accessible option – and one that will still be a great start for many who aren’t sure where to begin.

Rather than a compliance standard listing controls and requirements that a business has to certify or have audited, the RMF provides a straightforward and repeatable cycle to frame, assess, respond to, and monitor risk. This has the advantage of being applicable to any security project or organizational risk profile, as opposed to a checklist that may meet some organization's needs, but be either overkill or underbaked for others. NIST breaks the cycle into seven steps, and here’s a short rundown of each:

1. Prepare: Designate someone to lead your risk management project. Define what the most valuable assets are that you’re trying to protect (customer data, financial info, etc.) as well as what expert help you might need for informed decision making through the rest of the process.
2. Categorize: Identify your most important systems and data, and figure out how critical each one is to your business – this helps you focus your efforts where they matter most. Start with the most valuable and likely targeted system, and iterate through the rest of your list from there.
3. Select: After categorizing your top assets and targets, you’re ready to compare your list against NIST recommendations for security controls (NIST SP 800-53) and choose the options that fit your need and budget. Again, start with the most crucial controls, evaluating both the services and the vendors providing them to make sure they meet the needs you’ve defined
4. Implement: Where the rubber meets the road! This might mean installing software, training employees, or changing processes. Plan your rollout, choose how you’ll measure its effectiveness, and set regular milestones as well as retrospective touchpoints to move mindfully through this process. Remember, perfect is the enemy of good - start somewhere and improve over time.
5. Assess: Routinely check if your controls are working as intended, measured against the metrics of success. This doesn't have to be complex -- even a simple checklist can help. Identify any gaps or areas for improvement (we’ll come back to this).
6. Authorize: Define a clear authorization chain for sign-off from leadership, including who has the final approval to authorize a system as good-to-go or in need of further review. This step ensures everyone's on the same page about risks and protections and provides a chain of command when decisions need to be made quickly.
7. Monitor: Implement controls to continuously monitor for new threats or changes in your business that might affect security. Regularly update your leadership on security status and milestones.

Each of these steps receives more detail in the Quick Start guide, as well as directly linking to the relevant section of the RMF with more detail. It’s important to note that the seven steps above aren’t a one-time process, but an ongoing cycle of monitoring: identifying gaps, categorizing the controls needed to fill them, selecting and implementing those controls, etc. 

Implementing a formal risk management strategy can be intimidating, but resources like this new guide are a step in the right direction towards making security as accessible as it needs to be, for organizations of every size. I encourage you to read the full guide, and check out some of the additional resources linked above including the full Risk Management Framework page.

One more thing to remember: A cyclical process takes the pressure off getting everything perfect on your first review – every cycle of “frame, assess, respond, monitor” strengthens your defenses and improves on your plan. Your security journey is never over, but that just means you can always be improving your plan! And for more information where Blumira might be able to help with those “expert help” and “continuous monitoring” needs, check out these articles:

• Meeting NIST SP 800-53 Security Controls
• Now Available: NIST Compliance Reports From Blumira
• Complete Guide to the NIST Cybersecurity Framework