If you have 5 people in your office, none of them should be spending their lunch breaks figuring out firewall rules and patch management.
More than 32 million small businesses make up 99.9% of the firms in the United States, ranging from flower shops with three employees and law firms with ten attorneys to rural hospitals with 200 employees and factories with 1000 workers. For these small- and medium-sized enterprises (SMEs), a ransomware attack can stop production on the factory floor, prevent patients from getting life-saving medical care by blocking access to patient schedules, treatment histories and medical equipment, release sensitive client data, or even force a small family business to close.
IST and the Ransomware Task Force released the Blueprint for Ransomware Defense in August of 2022 to provide SMEs with an actionable framework to defend against the most common attacks. The original Blueprint for Ransomware Defense aligned its curated subset of Center for Internet Security Controls to the NIST Cybersecurity Framework (CSF) 1.0 functions: Identify, Protect, Detect, Respond, and Recover. Today IST is releasing an update that remaps and aligns the Blueprint with the NIST Cybersecurity Framework 2.0, which incorporates a new Govern core function. This blog post explores the updates and key considerations for some of the most vulnerable SMEs: organizations with fewer than 5 IT staff and no dedicated cybersecurity staff.
Although the 40 Safeguards and their distribution between foundational (14) and actionable (26) remained the same in this remapping effort, we note substantial changes in their distribution across the core Framework functions. A few highlights:
- 16 of 40 Safeguards were remapped, with 12 of those Safeguards moving to the newly created Govern core function.
- In Govern, 11 of 12 Safeguards, or 92%, are Foundational.
- In Identify, 3 of 4 Safeguards, or 75%, are Foundational.
- Whereas Foundational safeguards had previously been spread across the core functions in the NIST CSF 1.0, 100% of Foundational Safeguards are now in the Govern and Identify core functions according to the remapping.
Given the diverse range of SMEs, their organizational capacity for cybersecurity risk management varies greatly by industry, size, location, and other factors.
As with payroll and HR functions, many SMEs completely outsource or significantly supplement IT and cybersecurity by hiring a managed service provider (MSP). When SMEs hire a payroll company, they’re not just buying software. They’re buying peace of mind that taxes get filed correctly and workers get paid on time. Likewise, an MSP aligned with the Blueprint can offer SMEs the same assurance for their cybersecurity: backups happen automatically, vulnerabilities get patched quickly, and someone’s watching for threats even when they’re closed for the weekend.
In future work, we at IST will continue to explore how to leverage the Blueprint to improve preparedness and response for SMEs below the cyber poverty line—including states, local municipalities, and education entities. For now, whether you are a managed service provider or an SME in search of cybersecurity assistance, here’s your call to action:
If you are an MSP:
- Map Services to the Blueprint: Create a simple one-page document showing which Blueprint Safeguards are included in each tier of service
- Onboarding Checklist: Map your onboarding steps directly to Blueprint controls
- Annual Blueprint Review Meeting: Schedule time to review all controls, discuss gaps, and plan improvements
If you are an SME that uses an MSP:
Share the Blueprint with your MSP and ask them…
- Can you provide a report showing your alignment with the Blueprint?
- Which of these controls do you currently provide and are they by default or are additional steps required to enable them? Which would require additional services or investment?
- Are there Blueprint controls we should be implementing that we’re not currently using?
If you are an SME with a small IT staff (1-5 FTE):
- Pull out the Blueprint. For each of the 12 Govern Safeguards, ask yourself: “If our IT person quit today, could their replacement figure out how we do this?” If the answer is no, you don’t have governance, you have a single point of failure. However, small actions can start to build momentum toward cybersecurity governance. Take an hour and try this with your team:
- Capacity Check: Review the Govern Safeguards to determine which are feasible for your team to achieve internally with existing staff and resources in three months, six months, or a year. Which Safeguards will require outside support from an MSP or other provider?
- Prioritization: Select one of the Govern Safeguards to work on that seems most manageable or most impactful.
- Make Some Progress: Start a rough draft of what the written process should look like to address the Safeguard. Since the goal is to build momentum and make some progress, this can be a rough draft. Much of this knowledge may already live implicitly in one or multiple people’s heads, so focus on documenting what you already do and build from there.
- Remember: For SMEs with 1-5 IT staff, governance isn’t about building a compliance bureaucracy. It’s about having documented answers to basic questions before a crisis hits. And this process will get you there.
If you are an SME selecting an MSP:
Ask them questions that assess their alignment with Blueprint’s Foundational Controls like…
- Can you walk me through what happens if we get hit with ransomware? Who do I call, and what are the first three things you’ll do? (17.3)
- How will you help us establish and maintain a secure configuration process for our…
- Enterprise enterprise assets and software? (4.1)
- Network infrastructure? (4.2)
- What’s your process for managing our user accounts when someone joins or leaves the company? (6.1, 6.2)
- How will you help us establish and maintain a process for…
- Vulnerability management? (7.1)
- Remediation? (7.2)
- How do you handle security patches? Do I need to approve them, or do they happen automatically?
- How quickly can you restore our systems if we get attacked? (11.1)
- Are our backups isolated from our network? Can you show me evidence? (11.4)
- Have you tested their availability?
- Do you maintain an inventory of all our…
- Devices? (1.1)
- Software? (2.1)
- Accounts? (5.1)
- What is your process for prioritizing and implementing MFA on applications, accounts, and services? (6.3, 6.4, 6.5)
Thankfully for SMEs with fewer than 5 IT staff, cybersecurity governance doesn’t require a compliance department or a CISO. However, it does require documented processes for several basic questions about what you’re protecting, how you’re protecting it, who can access it, and what happens when things go wrong.
The Blueprint’s remapping to NIST CSF 2.0 highlights that these Foundational Safeguards in Govern and Identify represent documented processes that can determine whether your business survives a ransomware attack or becomes another cautionary story for the infosec community. Start with one Safeguard, document what you already know, and build from there, because the best time to establish cybersecurity governance is before you need it.
