This page is intended to be a clearinghouse for government, nonprofit and private-sector resources available to support businesses through the 5 steps learned in the CyberSecure My Business™ program. Small and Medium Businesses are busy keeping their customers happy, so NCSA wanted to create one place for you to go to learn the best practices in cybersecurity. This page will be updated regularly. If you have a resource to share, email [email protected] to let us know.
Resources are organized by Identify, Protect, Detect, Respond, Recover and Other.
Understanding the 5 Steps in CyberSecure My Business
- Federal Trade Commission (FTC) Video on National Institute of Standards & Technology (NIST) Cybersecurity Framework
Before a business can protect assets and data, those key items need to be identified and tracked. Creating inventory lists that are living documents and doing periodic assessments of your business are critical first steps in improving cybersecurity. These resources will help get you started.
Insurance Institute for Business and Home Safety
- Open for Business EZ Toolkit
- Inventory List – Know your information technology and data
- Know your business
- Know your employees
- Know your key Customers, Contacts, Suppliers and Vendors
- Stay Open for Business Complete Toolkit
Michigan Small Business Development Center (SBDC)
- Small Business Big Threat assessments, resources and training for businesses, government contractors and international travel and business. Developed by Michigan SBDC with support from the U.S. Small Business Administration (SBA) and the Michigan Economic Development Corporation.
U.S. Department of Homeland Security
Cybersecurity Education and Awareness Materials for Your Business
The most critical step in protecting your business is educating yourself and your staff about how they can improve online security and data protection. These no-cost resources are a good place to start the education.
- Cyber-Security For Small Business: Protect your small business from cybercriminals, data breaches, natural disasters and more.
- A Best Practices Guide for Comprehensive Employee Awareness Programs details the four steps in a strategic framework for successful cybersecurity and data privacy awareness programs.
- Knowledge Assessment helps provide valuable information for you to configure your training and awareness program.
- Phishing Simulator helps organizations measure and demonstrate their employees’ aptitude and progress and tie those results to targeted training content.
- This Is GDPR Jeopardy! is a free online game to help inform you and your colleagues and employees about the General Data Protection Regulation and the requirements it brings.
- A Best Practices Guide for Comprehensive Employee Awareness Programs
- Awareness Training Videos
- Internet Safety for Enterprise & Organizations offers tools to help your employees learn the skills they need to work more safely online and better defend company and customer data and their own personal information.
Norton by Symantec
- Norton Small Business Resources offers information on scams, IoT, family safety and more.
SANS Securing the Human
- OUCH! is a free security awareness newsletter designed for everyone – published every month and in multiple languages. Each issue focuses on and explains a specific topic and shares actionable steps people can take to protect themselves, their families and their organizations.
- Cybersecurity Conversations for the C-Suite in 2018 shares insights on the cybersecurity conversations your organization should be having and what questions to ask yourself as a cyber aware professional.
- Security Webinars on hybrid cloud and user protection from TrendMicro who provides a connected threat defense from the endpoint to the network to the cloud.
Top Tips for Securing Your Business Accounts and Data
American Society of Media Photographers
ASMP shares a best practice for backing up critical data. With Ransomware on the rise, having 3 backup copies and practicing restoring those backups will help prepare you against attacks.
- What Every CEO Needs to Know About Cybersecurity Whether you are a business of 1 or 1,000, leadership is important in cybersecurity. This guide will take you through key items to understand.
The FTC, the nation’s consumer protection agency, has created a webpage that has information on scams targeting small businesses, and tips to help avoid them. It also includes cybersecurity articles and videos to help small business owners protect the networks and systems and their employees’ and customers’ sensitive data.
- Protect your business from scams: here’s an article and a video with tips to recognize scams target small businesses
- Start with Security: how businesses can protect their computers and networks against threats
- Develop a plan to protect their customers’ personal information
- Learn what do if there is a data breach
- Find out how IdentityTheft.gov can help your employees and customers
- Stay informed. Subscribe to the business blog
- Order free publications from the FTC and share them with your employees
Insurance Institute for Business and Home Safety
- The Microsoft Secure Blog offers guidance on how to better protect your devices from threats and protect your business against cyber threats. It gives information about identity theft, spam and phishing attacks and alerts readers when Microsoft issues security updates.
- Technology Checklist shows safety tips for the technology in your business like wifi, USB, cloud services, mobile devices and more.
Sophos is a global leader in network and endpoint security.
- IT Security DOs and DON’Ts includes employee handbook, top tips videos and reading materials and more.
- This Safer Internet Guide is designed for nonprofits, charities and NGOs. You rely on the goodwill of your donors, constituents and community for support. So it’s very important that you protect your data and infrastructure. This guide is intended to help you keep it safe.
U. S. Homeland Security Computer Emergency Readiness Team (US-CERT)
- Cyber Security Tips
- Posters to provide guidance on physical and cybersecurity and how to report suspicious behavior, activity, and cyber incidents
- Protect Your Workplace Campaign
- Mobile Device Security
- Resources for Business – PROTECT
- Stop.Think.Connect. Toolkit – Small Business Resources
- NICCS Training Catalog is a central location where cybersecurity professionals across the nation can find over 3,000 cybersecurity-related courses. Anyone can use the interactive map and filters to search for courses offered in their local area so they can add to their skill set, increase their level of expertise, earn a certification, or even transition into a new career.
- National Cyber Awareness System (NCAS)
Small employers often don’t consider themselves targets for cyberattacks due to their size or the perception that they don’t have anything worth stealing. However, small businesses have valuable information cybercriminals seek, including employee and customer data, bank account information and access to the business’s finances, and intellectual property. Small employers also provide access to larger networks such as supply chains.
Trusted third-party organizations will review IT security products to help business owners find the right tools.
An independent division of Verizon Business, has been providing credible, independent, third-party product assurance for end users and enterprises since 1989. ICSA Labs has provided vendor-neutral testing and certification for hundreds of security products and solutions for many of the world’s top security product developers and service providers.
Small Business Trends
Founded in 2003, Small Business Trends is an award-winning online publication for small business owners, entrepreneurs and the people who interact with them. It is one of the most popular independent small business publications on the web.
Free Security Tools
Some companies also offer free tools to support businesses without large budgets.
National Institute of Standards and Technology (NIST)
NIST, an agency of the U.S. Department of Commerce, was founded in 1901 as the nation’s first federal physical science research laboratory. NIST implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities.
Sophos is a global leader in network and endpoint security.
TrendMicro works to provide a connected threat defense from the endpoint to the network to the cloud.
- Security Sense for Retailers: If your business accepts payment cards, it is important to have security steps in place to ensure your customers’ information is safe. Your bank or payment services processor can help you prevent fraud. In addition there are free resources and general security tips available to learn how to keep sensitive information—beyond payment information—safe.
Many times a business will not know they have been breached for many months after the attack begins. Having the right security tools in place will help you detect a problem and be able to act.
Learn about certified tools at this site:
- ICSA Labs, an independent division of Verizon Business, has been providing credible, independent, third-party product assurance for end users and enterprises since 1989. ICSA Labs has provided vendor-neutral testing and certification for hundreds of security products and solutions for many of the world’s top security product developers and service providers. Enterprises worldwide rely on ICSA Labs to set and apply objective testing and certification criteria for measuring product compliance and performance.
- Discover why and how you should bring Managed Detection and Response services into your organization. Get a quick primer on Managed Detection and Response, find out why Gartner recommends it, and learn how to pick the perfect provider for your organization—download your free toolkit now!
- The Global Security Intelligence Report provides an in-depth perspective on the changing threat landscape, including software vulnerability disclosures and exploits, malicious software and potentially unwanted software.
Businesses small and large need to have a response plan in place and practice that plan prior to a breach. These tools and plans are ready for you to customize to fit your business. Just as you plan for natural disasters or fire prevention, cybersecurity response needs to also be considered.
Incident Response Book provides expert advice about building your custom breach response plan.
Federal Communications Commission (FCC)
- Small Biz Cyber Planner 2.0 is an online resource to help small businesses create customized cybersecurity plans. Use this tool to create and save a custom cyber security plan for your company, choosing from a menu of expert advice to address your specific business needs and concerns.
- Privacy Is A Promise to Your Customers – So Make Sure You Don’t Break It is a webcast that discusses the challenges of protecting yourself and your customers in the new era of privacy. It highlights the four pillars of privacy and consent, the obligations regulations place on companies operating within the Asia-Pacific region, how to develop secure and effective privacy policies and how to make sure your data protection infrastructure supports your privacy policies and objectives.
Insurance Institute for Business and Home Safety
- Open for Business EZ Toolkit
- Business Continuity Plan
- Complete Toolkit
- Top 5 Myths About Business Continuity Planning
- Know Your Finances
- Exercise Losing Power
- Business Impact Analysis helps businesses consider the following:
- Lost sales and income
- Delayed sales or income
- Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
- Regulatory fines
- Contractual penalties or loss of contractual bonuses
- Customer dissatisfaction or defection
- Delay of new business plans
- Response Checklist to Advanced Persistent Threat (APT): This list can guide a company in responding after an attack.
U. S. Department of Homeland Security
- Critical Infrastructure Cyber Community Voluntary Program
- Leadership Agenda offers suggested questions and topics you can use to help guide a conversation about your business’s current cybersecurity posture and cybersecurity best practices. This agenda can also assist you in starting a conversation about how to use the NIST Cybersecurity Framework as a guide for your cybersecurity procedures and policies.
- Resources for Business – RESPOND
Report an Incident
The following are options for reporting a breach. Depending on the type and size of breach a business may involve a different support system.
- FBI IC3
- Your state attorney general
- The FTC
- Better Business Bureau (BBB) Scam Tracker
- US-CERT also maintains an incident reporting system for computer security incidents.
- Anti-Phishing Working Group (APWG): The APWG is the global pan-industrial and law enforcement association focused on eliminating the fraud and identity theft that result from phishing and email spoofing of all types. Its website includes ways to report phishing, resources for educating customers about cybersecurity issues and news.
How a business recovers can influence their success moving past the breach. Having a recovery plan in place and letting each member of the staff understand their role is critical to a strong recovery.
- Guide for Cybersecurity Incident Recovery: This bulletin summarizes the information presented in NIST SP 800-184: Guide for Cybersecurity Event Recovery. The publication provides organizations with strategic guidance for planning, playbook developing, testing and improvements of recovery planning following a cybersecurity event.
- IT Disaster Recovery Plan: Businesses large and small create and manage large volumes of electronic information or data. Much of that data is important. Some data is vital to the survival and continued operation of the business. The impact of data loss or corruption from hardware failure, human error, hacking or malware could be significant. A plan for data backup and restoration of electronic information is essential.
The FTC is a bipartisan federal agency with a unique dual mission to protect consumers and promote competition.
- Business Center is your link to videos, blogs and updates for businesses on privacy, security and more.
- FTC.gov/SmallBusiness has:
- Information on scams targeting small businesses, and tips to help avoid them
- Advice to help small business owners protect not only the networks and systems that are the backbone of their business, but also their employees’ and customers’ sensitive data
- Videos that show steps small business owners can take to ensure their business has secure networks
- Start with security – and stick with it (July 28, 2017)
- Stick with Security: Insights into FTC Investigations (July 21, 2017)
- The ITRC is a nonprofit, nationally respected organization dedicated exclusively to the understanding and prevention of identity theft. The ITRC provides victim and consumer support and public education. The ITRC also advises governmental agencies, legislators, law enforcement and businesses about the evolving and growing problem of identity theft.
- (ISC)² is the global, not-for-profit leader in educating and certifying information security professionals throughout their careers; it provides vendor-neutral education products, career services and Gold Standard credentials to professionals around the world.
- McAfee Blog Central provides blog posts and resources on online safety and security for businesses and consumers.
- The Trust Center is a resource for learning how Microsoft implements and supports security, privacy, compliance and transparency in its cloud products and services. It provides in-depth information and resources about security, privacy and more and information specific to key organizational roles, like business managers, data security teams and legal compliance teams.
- ITL Bulletins are published monthly by NIST’s Information Technology Laboratory, focusing on a single topic of significant interest to the computer security community. They often highlight a recently-published FIPS or NIST Special Publication of significance.
- For 20 years, the Computer Security Resource Center (CSRC) has provided access to NIST’s cybersecurity- and information security-related projects, publications, news and events. CSRC supports stakeholders in government, industry and academia—both in the U.S. and internationally.
- In this major update to CSRC, see our greatly-expanded publications library, explore content by topic, and search our glossary of information security terms.
PCI Security Standards Council
PCI Security Standards Council is the global standards body dedicated to helping organizations secure payment card data. The Council’s Payment Protection Resources for Small Merchants provides simple guidance to help small businesses improve its data security practices and reduce the risk of data theft.
- Guide to Safe Payments shares simple guidance for understanding the risk to small businesses, security basics to protect against payment data theft and where to go for help.
- The Patching, Passwords and Secure Remote Access infographic provides information on the three critical areas small businesses need to address to protect payment card data: passwords, patching and secure remote access.
- Phishing and Social Engineering Resource Guide provides a few security basics to defend against these attacks.
- Ransomware Resource Guide provides advice on how to prevent ransomware attacks.
Texas A&M Engineering Service (TEEX)
TEEX’s National Emergency Response and Rescue Training Center (NERRTC) is a training partner of the DHS/Federal Emergency Management Agency (FEMA) National Preparedness Directorate, the National Domestic Preparedness Consortium (NDPC) and the National Cybersecurity Preparedness Consortium (NCPC). TEEX develops and delivers DHS- and FEMA-certified online and face-to-face training courses at no cost to states, counties, local jurisdictions and critical infrastructure components nationwide addressing cybersecurity and cyber terrorism concerns.
U. S. Department of Defense
- For a more technology savvy reader: The Cybersecurity Guidelines documents, guidelines and templates are provided and should be used in preparation of project proposal submissions, and if awarded, additional deliverables will required depending on the type of FRCS, network connectivity, and project demonstration objective. The sequence of the documents is intended to build on each other.
DHS has a vital mission: to secure the nation from the many threats we face. DHS co-leads National Cyber Security Awareness Month with NCSA.
- The Small Business Technology Coalition is committed to helping small businesses leverage technology as a core driver of growth and differentiation. That means increasing digital education and training to launch, grow, manage and win their business.