Cybersecurity Guidance for Small Firms
As small businesses become increasingly dependent on services and applications that connect to the internet, they also become a larger target for cybercriminals looking to exploit vulnerabilities to steal money and information as well possibly destroy data and disrupt operations. As a result, it is crucial for small financial firms to take proper cybersecurity measures – to protect their customers, their firm, their partners and the markets they operate within. This resource page is intended to provide information applicable to small firms and supportive of their overall business model to increase their security and ensure the protection of their customers.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) has created a method called the Cybersecurity Framework for firms of all sizes to improve their cyber protections. This framework was the result of a collaborative effort between NIST and leading industry professionals and companies, including SIFMA. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.
Drawing upon the cybersecurity framework, as well as other industry and government resources, SIFMA has composed a guidebook and checklist tailored to small firms. While the NIST Cybersecurity Framework organizes existing standards and provides an excellent holistic approach, this guidebook and checklist provide actionable and prescriptive guidance for small businesses seeking to implement or improve their cybersecurity.
Small Firm Cybersecurity Checklist
- NIST Small Business Corner
- NIST Small Business Information Security: The Fundamentals (PDF)
- NSA/IDA Top 10 Information Assurance Mitigation Strategies
- On Guard Online
- Sans Top 20 Critical Security Controls
- Securities and Exchange Commission Office of Compliance Inspections and Examinations Cybersecurity Initiative (SEC OCIE) (PDF)
Cybersecurity is an area of active risk management both for firms and the sector. SIFMA will continue to research and explore the topic as it relates to small firms. Please look for upcoming releases on the following topics.
- Establishing a Cyber Incident Response Plan
- Consuming and Analyzing Cyber Threat Information
- Getting more familiar with the NIST-Cybersecurity Framework
- Small Firms Cyber Table Top Exercise (Tentative Fall 2014)
SIFMA welcomes input on additional discussion topics that you feel will help improve cybersecurity of your firm or the sector more generally. Please submit requests to Thomas Wagner.