It’s no secret that small businesses face challenges in understanding and keeping up with the rapidly changing cyber threat landscape. Today we’ll discuss some of those challenges and review new free resources from NIST and CISA coming out in 2024 that can help SMBs manage and improve their cybersecurity programs. Buckle up, it’s going to be a busy year.
In this episode:
Small Business Cybersecurity 2024 – Ep 443
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
Thanks to our donors.
The HIPAA Privacy and Security Boot Camp
3.5 day In Person Event
April 9, 10, 11 and 12, 2024
PriSecBootCamp.com
HIPAA Briefs
[08:54] What are the current HIPAA violation fine amounts?Since we still see and hear “fines up to $1.5M…”, our listeners probably know that hasn’t been the case for years. Every year the HIPAA fine amounts get an inflationary adjustment. Here are the HIPAA violation fine amounts as of January 2024. The penalties are categorized into four tiers based on the level of culpability:
- Tier 1 (Lack of Knowledge): The minimum penalty per violation is $137, with a maximum of $34,464 per violation. The annual penalty cap for this tier is set at $34,464.
- Tier 2 (Reasonable Cause): This tier carries a minimum penalty of $1,379 per violation, and a maximum of $68,928 per violation. The annual penalty cap is $137,886.
- Tier 3 (Willful Neglect – Corrected): The penalties range from a minimum of $13,785 to a maximum of $68,928 per violation, with an annual cap of $344,638.
- Tier 4 (Willful Neglect – Not Corrected within 30 days): This is the most severe category with a fixed penalty of $68,928 per violation and an annual cap of $2,067,813.
These amounts reflect the latest adjustments made for inflation as of October 6, 2023. It’s important to note that state attorneys general also have the authority to issue fines for HIPAA violations, with a maximum of $25,000 per violation category, per year. The severity of the violation and the organization’s response to it are key factors in determining the penalty amount within these ranges.
So, that $1.5M number that everyone uses is really $2M+ in 2024.
Small Business Cybersecurity 2024
[20:30] CISA and NIST are just 2 of the many organizations trying to develop ways to help SMBs with managing cybersecurity and the help is definitely needed. On Jan 10, NIST hosted a webinar specifically discussing their plans for small business in 2024.What’s in Store for NIST’s Small Business Program in 2024?
What’s in Store for NIST’s Small Business Program in 2024? Slide Deck
Highlights
What is a small business?
First, how do you define a small business? The U.S. Small Business Administration’s Office of Advocacy generally defines a small business as an independent business having fewer than 500 employees.
They include a reference to the SBA Frequently Asked Questions About Small Business 2023 that offers some interesting insights. So often small businesses are overlooked but these stats make it clear our focus on small businesses in our businesses is definitely needed:
- Most businesses are small- 99.9% of American businesses.
- About 38% of small businesses use specialized software in their business operations.
- Of 33.2 million small businesses, 27.1 million (81.7%) are run by a single owner and have no employees.
- In 2020, small firms averaged 11.7 employees.
- New firms (less than 2 years old) averaged 6 employees,
- Firms older than 20 years averaged 60 employees.
Face the Facts
[28:21] What we really need to do is face the facts about small businesses and cybersecurity. They have a great slide that covers that perfectly. Here are the facts we all must accept in 2024, if not already.- Cybersecurity has become a fundamental risk that must be addressed alongside other business risks.
- Size often doesn’t matter to a threat actor.
- Small businesses can be more agile and innovative in response to cybersecurity risks.
- Most small business owners and employees are not cybersecurity experts.
- There are actionable steps smaller organizations can take to begin managing cybersecurity risks.
What’s the Plan?
[34:58] There has been some outreach from NIST for small businesses for a few years. They have a specific section for us: Small Business Cybersecurity Corner | NISTNIST has set goals for 2024 to do more work on cybersecurity in the small business world. Interestingly it included them being more involved than ever before in engaging small businesses. A few of the many listed stood out to me.
- Deepening/expanding NIST’s relationship with small business-focused resource partners who are the ‘boots-on-the-ground.’
- Getting NIST more involved in SMB-focused events—both attending them, speaking at them, and hosting them.
- Creating more opportunities to listen to the SMB community to better understand their needs/challenges.
There is a long list of things they have available for all small businesses and their work mentioned here is going to expand it a great deal. The big part is actually engaging with the small businesses. I can assure you that big enterprises work in a completely different world from us. They start conversations with the size of the company related by less than $1billion dollars or not. Then of course the next cut is something like 500 million. While I am sure there are small businesses that generate that much revenue I don’t think that is the standard starting point to determine who you are working with.
They are also hosting community of interest forums lists with two subgroups – owners and then vendors or resource partners. The COIs, as they call them, are specifically designed for this:
You can sign up for those lists yourselves from this site: Get Engaged | NIST. We strongly encourage you to sign up and get engaged if you have a small business to manage or provide services.
[45:54] The big focus for NIST this year will likely revolve around the release of the NIST CSF version 2.0. They even have a webinar on it focused specifically on SMBs. That event is scheduled for March 20: CSF 2.0 for SMB.This new version of the CSF will be big news in our world because the changes add a whole new function so that IPDRR will now need to be GIPDRR. There are other changes that bring new discussions to how to manage and implement cybersecurity controls for any organization. Look for us to do a few things on those topics in the coming months for sure. Remember everything you can possibly consider a framework will map to the NIST CSF. That includes HICP and will also involve the CISA CPGs as a connection there somewhere.
A lot of changes in cybersecurity are coming out in 2024. Most of it has a focus on the SMB market. So, pick something to focus on for your cybersecurity program like the CISA CPGs, NIST CSF 2.0 and HICP. As changes to these frameworks are released we will cover them and try to help you adapt and implement them in your organizations.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
