Information security pros weary of explaining the basics of protecting their companies’ information, systems and networks to employees who really don’t want to be bothered might want to take a look at “Small Business Information Security: The Fundamentals.” This straightforward, easy-to-read, free guide from the National Institute of Standards and Technology (NIST) is aimed at SMBs with up to 500 employees, as its title states. I think it would prove just as useful for employees at remote offices where IT staffs are small or nonexistent and it’s important that employees bear responsibility for information security. The draft guide, slated for final form by October, is written for people with little or no technical expertise. Author and NIST computer scientist Richard Kissel said the decision to keep the fundamentals, well, fundamental, stemmed from many years on the road teaching small business owners how to make themselves “less of a target” for malicious attacks and security snafus.
“What we found was that our audiences weren’t technical at all. They were small-business people. They were mechanics, they were printers, they were doctors and dentists. They were good at what they did, but what they did was not IT and it wasn’t information security,” Kissel said. “They had no idea what to do.”
The 20 pages of advice lay out 10 “absolutely necessary” actions, 10 “highly recommended” and include a section on business continuity and disaster recovery. Worksheets for prioritizing and protecting data, as well as estimating the cost of bad stuff happening to that data, round out the packet.
If you don’t think users would appreciate the primer, it might make an early holiday gift for those neighbors and relatives who call you in a panic when viruses, spam or other nastiness put their computers out of commission. I enjoyed it, then promptly sent a copy to my 20-something daughter, who, like most employees her age, takes her work wherever she goes, turning her personal laptop into a small business.