Cybersecurity for Non-Employer Firms: A Strategic Approach Based on the NIST CSF 2.0

📄 Original source document: This article is based on NIST CSWP 50 (Initial Public Draft), Small Business Cybersecurity: Non-Employer Firms, by Daniel Eliot, Jeffrey A. Marron, and Savann Thorn (April 14, 2026). Download the full PDF — available free of charge from NIST.

Abstract

This academic article comprehensively examines cybersecurity risk management in the specific context of non-employer firms (hereinafter "non-employer firms"), based exclusively on the guidelines of NIST CSWP 50 (1). These entities, commonly known as "solopreneurs," represent a critical part of the economic ecosystem but often operate with low-complexity information technology (IT) infrastructures and limited resources. The study details how the NIST Cybersecurity Framework (CSF) 2.0 provides a flexible, technology-neutral structure for these owners to understand, prioritize, and communicate their security efforts (1). Through analysis of the six core CSF 2.0 functions—Govern, Identify, Protect, Detect, Respond, and Recover—a practical methodology is established to build a solid security foundation that enables operational resilience and protection of high-value assets, such as intellectual property and customer data (2). The article underscores that cybersecurity should not be viewed merely as a technical challenge but as a vital component of enterprise risk management (ERM) that acts as a competitive differentiator and enabler of sustainable growth (3). Considerations on prevalent threats such as phishing and ransomware are included, as is the importance of continuous improvement and the use of organizational profiles to close security gaps as the business scales (4).

Keywords: cybersecurity; Cybersecurity Framework (CSF); cybersecurity risk management; information security; small business.

2. Introduction: The Ecosystem of Non-Employer Firms

2.1. Economic Relevance of Small Businesses

Small businesses constitute a fundamental and critical pillar of the economy, both nationally in the United States and in the global market (5). Statistical data from the U.S. Small Business Administration (SBA) Office of Advocacy indicate the existence of 34.8 million small businesses, representing 99% of all business entities in the country (5). These organizations not only drive innovation but are also determinants of the nation's industrial competitiveness, actively participating in all economic sectors (5).

2.2. Definition and Profile of the "Solopreneur" or Non-Employer Firm

Within the spectrum of small businesses, there is a majority and particularly vulnerable segment: non-employer firms. According to SBA records, 81.9% of small businesses have no paid employees other than their owners (6). This profile, colloquially known as the "solopreneur," encompasses a diversity of legal structures and operational models, including sole proprietorships, freelancers, single-member limited liability companies (LLCs), independent contractors, and gig economy workers (5, 6). Despite their individual scale, these firms often integrate into international supply chains and global business collaborations (1).

2.3. Technological Dependency and Vulnerability to Cybercrime

The modernization and scaling of current businesses have forced non-employer firms to increase their reliance on data and technology (3). The daily operations of a solopreneur typically rely on an IT architecture that, although low in complexity, is vital for survival (1). This typical architecture includes mobile devices connected to Wi-Fi networks, smart printers, desktop computers, laptops, and strong integration with cloud services for file storage, customer relationship management (CRM), online banking, and payment processing (1). This massive digitalization has been accompanied by an increase in criminal actors' capabilities to attack such information and systems (2). In this context, cybersecurity risk can no longer be treated in isolation but must be managed comprehensively alongside other business risks—legal, financial, environmental, and reputational—within an Enterprise Risk Management (ERM) framework (3, 13).

2.4. Multidimensional Impact of Cybersecurity Incidents

A cybersecurity incident can have devastating and permanent consequences for a non-employer firm. The inability to protect the confidentiality, integrity, and availability of information can lead to a cascade of effects (1):

• Operational: Total inability to operate the business and loss of critical information (2).
• Financial: Direct revenue loss, regulatory fines, penalties, legal fees, and credit history damage that prevents obtaining bank loans (2, 12).
• Reputational: Loss of trust from customers, business partners, and collaborators, which is especially critical for firms that depend on their professional image to compete (2).
• Systemic: Effects can extend beyond the firm, negatively impacting customers and supply chain partners (3).

Although no entity can prevent all incidents, implementing a sound cybersecurity plan allows minimization of these impacts and achievement of business objectives (3).

3. Methodological Foundations: The NIST Cybersecurity Framework (CSF 2.0)

3.1. Foundational Goals: The CIA Triad

The foundation of any cybersecurity program, regardless of business size, rests on protecting three fundamental pillars known as the CIA Triad (1, 13):

• Confidentiality: Protecting data from unauthorized access and disclosure (8, 13). A critical example for a solopreneur is preventing access credentials, such as usernames and passwords, or customer credit card data from being stolen, which could generate legal and financial risks (13).
• Integrity: Protecting information from unauthorized modification (13). This objective seeks to ensure that sensitive data, such as product designs or research records, are not altered without the owner's knowledge (13).
• Availability: Ensuring timely and reliable access to information and systems (13). Loss of availability—such as being unable to access bank accounts or having the business website go offline—can completely halt commercial operations (13).

3.2. Structure of the CSF 2.0: Functions, Categories, and Subcategories

The NIST Cybersecurity Framework 2.0 (CSF 2.0) is a flexible, technology-neutral scheme designed to enable organizations to assess and communicate their cybersecurity efforts (1). Its main structure, called the Core, organizes desired cybersecurity outcomes into three hierarchical levels: Functions, Categories, and Subcategories (1). The Functions represent the highest level and offer a strategic view of risk management (1). These functions are: Govern, Identify, Protect, Detect, Respond, and Recover (1). This structure allows both business owners and technical consultants to use a common language to manage risks (1).

3.3. Organizational Profile: Gap Analysis

A key methodology within CSF 2.0 is the development of an Organizational Profile, which functions as a strategic exercise for the firm to understand its security posture (1). The process is divided into two states:

1. Current Profile: Describes the cybersecurity outcomes the business is currently achieving (1).
2. Target Profile: Defines the outcomes the organization needs or desires to achieve to meet its risk management objectives (1).

Comparison between the two profiles enables a gap analysis, helping the owner make informed decisions and prioritize investments cost-effectively to close those gaps (1).

3.4. Cybersecurity Risk Management vs. Privacy Risk Management

It is imperative to distinguish between cybersecurity and privacy, although both disciplines have complementary and overlapping objectives (7). While cybersecurity risk management contributes to privacy by protecting confidentiality, it is not sufficient on its own (7). Privacy risks can arise from processes unrelated to security incidents, such as processing personal data in ways that violate individual rights or storing information for excessive periods (7). Therefore, the firm must integrate cybersecurity within a broader Enterprise Risk Management (ERM) framework that considers the multidimensional impact of its data operations (3, 10).

4. Govern Function: Establishing Strategy and Policy

The Govern function acts as the cross-cutting axis of the CSF 2.0, providing the outcomes necessary to establish and monitor the risk management strategy, management expectations, and internal policies (1). For a non-employer firm, this function is critical for integrating cybersecurity into the business model and ensuring alignment with external obligations.

4.1. Tracking Legal, Regulatory, and Contractual Cybersecurity Requirements

Every business entity, regardless of size, is subject to an ecosystem of legal obligations that impact its security posture (1). CSF 2.0 outcome GV.OC-03 emphasizes the need to document and track all applicable cybersecurity requirements (1). Depending on the sector, the solopreneur may be subject to regulations such as the Health Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI DSS) (1). In addition to laws, there are commitments with customers and business partners that stipulate data handling, confidentiality, and integrity requirements (1). NIST recommends using compliance tracking tools or simple spreadsheets to document these obligations, deadlines, and necessary actions (1). As observed in the notional case of an intellectual property attorney, compliance must extend not only to state privacy laws but also to bar association rules on client data protection (1).

4.2. Assessing the Appropriateness of Cybersecurity Insurance

Financial risk management in the face of cyber incidents is addressed under category GV.RM (1). Cyber liability insurance is presented as a risk transfer tool that can help a firm recover after an incident (1). Beyond financial compensation, insurers often provide access to technical experts who assist in identifying necessary preventive actions (1). The owner must understand what situations are covered (e.g., data theft vs. business interruption) and whether commercial contracts with third parties require maintaining a specific policy (1).

4.3. Supply Chain and Third-Party Risk Management

In the modern environment, non-employer firms depend on a network of external service providers, such as cloud platforms, payment processors, and managed IT services (1). Under category GV.SC, CSF 2.0 establishes that these third parties are vital but introduce additional risks that must be mitigated (1). Contracts and purchase orders are the primary vehicles for defining cybersecurity roles and responsibilities (1). The firm must periodically review privacy and security settings and agreements with cloud service providers (CSPs) and internet service providers (ISPs) to ensure alignment with the firm's risk posture (1). As complexity increases, the organization must transition from informal management to formalized processes for evaluating suppliers and their critical dependencies (1).

5. Identify Function: Understanding the Risk Environment

The Identify function is fundamental for determining the current cybersecurity risk to the business (1). This function enables business leaders to understand their internal and external context to prioritize security efforts (1).

5.1. Inventory and Categorization of Critical Assets

The first critical step in managing risk is knowing what one possesses. CSF 2.0 outcome ID.AM establishes the need to create, categorize, and maintain an inventory of the assets on which the business relies: hardware, software, data, and services (including cloud services) (1). In a non-employer firm, common assets include desktop computers, laptops, mobile devices, Wi-Fi-enabled smart printers, routers, and external storage (1). Cloud services typically encompass email, accounting tools, CRM, file storage, and payment processing (1). It is vital to document what high-value data is received, processed, or transmitted by each asset (1). This includes intellectual property, customer data, and financial records (1). The owner should assess the estimated impact if an asset were compromised, using scales such as "significant," "moderate," or "negligible" (1). As exemplified in the case of an e-commerce entrepreneur, the inventory should be reviewed periodically (e.g., every six months) to ensure its validity (1). Additionally, NIST recommends minimizing the commingling of personal and business assets to maintain a clear division of devices (1).

5.2. Risk Assessment: Threats, Vulnerabilities, and Impact

Risk is defined as a function of threats, vulnerabilities, likelihood of an event, and the potential impact such an event would have on the business (1). A threat is any circumstance or event with the potential to adversely impact organizational operations (1). Examples include employees accidentally submitting credentials through a phishing scam or accidentally downloading ransomware (1). A vulnerability is a condition that enables a threat event to occur (1). A common vulnerability is outdated or unpatched software (1). Likelihood is the chance that a threat will affect the business, varying by industry (e.g., an online retailer is more concerned about website defacement than a business with little web presence) (1). Impact is measured by the magnitude of harm resulting from loss of confidentiality, integrity, or availability of information (1). According to federal standards, this impact can be categorized as low, moderate, or high (9).

5.3. Incident Response Planning and Continuous Improvement

Identifying risk also implies preparing for when defenses fail. Preparing and practicing a plan before an incident occurs enables faster and more efficient response to minimize impact (1). This plan must include key contacts (technical, legal, banking, insurance) and mandatory notification requirements by law or contract (1). Part of asset management is ensuring that sensitive information is not accessible when devices reach end-of-life (1). Recommended methods include electronic hard drive wiping, remote wipe capabilities, and physical destruction or shredding of media (1). Businesses should adopt lightweight feedback loops, documenting incidents or near-misses and using security tests or vulnerability assessments to strengthen maturity over time (1).

6. Protect Function: Implementation of Critical Safeguards

The Protect function encompasses the outcomes necessary to use safeguards that prevent or mitigate the impact of cybersecurity events (1). For a solopreneur, this function represents the technical and operational "line of defense" that protects previously identified assets (1).

6.1. Identity Management and Access Control: The Principle of Least Privilege

Access control is the process of limiting access to system resources only to authorized users, processes, or devices (1). The principle of least privilege (PR.AA-05) dictates that each entity should receive only the minimum resources and authorizations necessary to perform its function (1). In practice, this means the owner should not use administrator-privileged accounts for routine tasks but rather standard user accounts (1). If the business uses devices shared with family members, each individual must have a unique account to prevent sensitive business data from being accessed by third parties (1). Likewise, when a relationship with an external provider ends or when an employee leaves the organization (during growth stages), all access to systems, data, and devices must be immediately revoked (1). Changing default manufacturer passwords (PR.AA-01) on devices such as Wi-Fi routers is a basic hygiene step to prevent easy compromise of the device (1).

6.2. Data Security: Multi-Factor Authentication (MFA) and Password Management

Given that passwords alone have become ineffective against large-scale attacks, account protection requires additional layers (1). Multi-Factor Authentication (MFA) (PR.AA-03) requires the user to verify their identity using two or more credential categories: something you know (password), something you have (token or phone), or something you are (biometrics) (1). NIST especially emphasizes the use of phishing-resistant MFA for banking, email, and system administration accounts (1). The use of passphrases—sequences of words whose length is the primary factor in password strength—is recommended (11). Due to the difficulty of remembering multiple robust credentials, using a password manager is an economical and effective solution for maintaining unique passwords for each service (1).

6.3. Asset Maintenance and Updating: Patch Management

Exploitation of vulnerabilities in outdated software is one of the most common attack paths (1). Periodic (at least monthly) installation of updates for operating systems and applications is critical (1). Enabling automatic updates is recommended to ensure security patches are applied as soon as the vendor releases them (1). In addition to applications, solopreneurs should schedule reminders to review and apply firmware updates for routers and printers—assets often overlooked in regular maintenance (1).

6.4. Awareness and Training: Protection Against Phishing and Ransomware

The human factor is a critical vector. Annual cybersecurity awareness training helps recognize criminal tactics designed to deceive the user (1). Phishing uses deceptive messages (email, SMS, social media) to induce the user to download malware or surrender credentials (1). Warning signs include: a sense of urgency, suspicious sender addresses (e.g., banks using @gmail.com accounts), and requests for sensitive information (1). The golden rule is to verify the request through a known contact channel and never through the link provided in the message (1). Ransomware encrypts business data and demands payment for restoration (13). Prevention includes using up-to-date antimalware software, blocking untrusted web resources, and running only authorized applications (13). The most effective protective measure against ransomware is regular data backup (PR.DS-11) (1). Maintaining multiple copies, including at least one on physical media not connected to the network (e.g., an external hard drive disconnected after use), is advised to prevent malware from encrypting the backup as well (1). Periodic testing of restoration is vital to ensure data can be recovered in a disaster (1).

7. Detect Function: Monitoring and Surveillance

The Detect function comprises the outcomes that enable discovery and analysis of anomalous activities that could indicate an attack or security compromise (1). The ability to identify common indicators of a cybersecurity incident early is vital for the solopreneur to take rapid action and minimize business disruption (1).

7.1. Continuous Monitoring of Assets and Indicators of Compromise (DE.CM)

The central objective of this subfunction is to constantly monitor assets for any signs of malicious or unusual activity (1). For a small business with low technical complexity, installing and maintaining antivirus or endpoint protection software constitutes the fundamental first step (1). These tools not only prevent infections but also monitor the system for anomalies (1). It is imperative to ensure that event logging functionality is enabled on operating systems and applications (1). These logs are crucial diagnostic tools during incident investigation, as they allow reconstruction of what happened and when (1). The owner should monitor the availability of key assets, such as the office router and cloud service providers (CSPs), to ensure the business can continue to meet customer needs (1). As the firm scales, it may opt for low-cost automated tools for endpoint detection and response (EDR) or contract a Managed Security Service Provider (MSSP) to offer 24/7 network monitoring to identify anomalies and alert the firm in real time (1).

7.2. Physical Environment Security and Tamper Detection (DE.CM-02)

Threat detection is not limited to the digital realm; the physical environment where hardware resides must also be monitored to prevent unauthorized access (1). The solopreneur should implement tactics such as using locks on file cabinets, securely storing devices, and enabling automatic screen locks (1). This is especially critical when working in spaces with third parties present (1). Unique physical threats for each work location—home office, café, or coworking space—must be understood (1). For example, using privacy screen filters on laptop displays can limit what others see in public environments (1). Periodic assessment of the physical environment for signs of tampering with routers, locks, or devices is good practice (1). For routers, antenna orientation and Wi-Fi signal coverage should be managed to limit network "overspill" into uncontrolled neighboring spaces (1). As the organization grows, more sophisticated physical access control mechanisms, such as biometric authentication, access cards, or installation of surveillance equipment and security personnel, may be considered (1).

8. Respond Function: Management of Detected Incidents

The Respond function is defined as the ability to take action regarding a detected cybersecurity incident (1). An incident is described as any occurrence that jeopardizes, or imminently threatens, the confidentiality, integrity, or availability of information or systems (1). Since no entity can prevent all cyberattacks, the effectiveness of this function is decisive in minimizing negative impact on the delivery of goods and services (1).

8.1. Execution of the Incident Response Plan (RS.MA-01)

Implementing a pre-prepared incident response plan (IRP) enables the firm to act quickly and efficiently (1). Response is not an isolated activity but requires close coordination with stakeholders and external experts (1). Upon detecting an anomaly, the owner must thoroughly document the event, including a detailed description, the exact time of detection, and any initial actions taken (1). This information is vital for forensic investigators or MSSPs (1). For a non-employer firm, technical response will likely need to be delegated to third parties. The plan must include key contacts such as state police, regional FBI field offices, legal counsel, banks, and insurers (1). For example, in the case of an attorney under a ransomware attack, the first critical action is to contact their MSSP to initiate containment protocols (1). The primary objective is to stop the spread of the attack. In ransomware scenarios, this may involve disconnecting assets from the network to prevent further data encryption (1).

8.2. Strategic Communication and Notification Requirements (RS.CO)

Communication during an incident is a mandate that transcends operations to become a legal and contractual obligation (1). NIST classifies communication activities into four fundamental categories (1): (i) incident coordination (communication among parties with response roles); (ii) incident notification (formal report to customers, regulators, etc.); (iii) public communication (media management); and (iv) information sharing (voluntary sharing of threat data with the community). For an international business consultant, communication is especially complex due to non-disclosure agreements (NDAs) and sector-specific data handling requirements (1). The response plan must specify what, when, and how to report to each stakeholder as stipulated by state privacy laws or specific regulations such as HIPAA (1). The effectiveness of response depends on pre-crisis preparation. The source recommends designating a "Business Champion"—a person responsible for developing and maintaining the incident response plan (1). As evidenced in the e-commerce scenario, practicing the plan through simulations or tabletop exercises helps identify weaknesses in communication processes before an actual emergency occurs (1).

9. Recover Function: Resilience and Operational Restoration

The Recover function encompasses all activities and outcomes aimed at restoring assets and operations that suffered negative impacts after a cybersecurity incident (1). While response focuses on immediate containment, recovery aims to return the business to full operation and resilience (1).

9.1. Asset and Operations Restoration Activities (RC.RP-01)

The execution phase focuses on reintegrating systems and data into the daily workflow of the business. For a non-employer firm, this process must be meticulous to avoid technical relapse (1). Before putting any asset or backup back into use, it is imperative to verify its integrity (1). Restoring data from a compromised or infected backup can result in immediate reinfection of the system, nullifying recovery efforts (1). As observed in the e-commerce entrepreneur scenario, following an availability incident, recovery must include changing all passwords, terminating all active application sessions, and manually re-logging into critical systems to ensure a clean state (1). The solopreneur must recognize their limitations. For example, the international business consultant identifies restoration as an area for improvement and seeks assistance from their cloud service provider (CSP) or a cybersecurity expert to ensure the process is successful (1).

9.2. Post-Incident Coordination and Communication (RC.CO)

Successful recovery depends on constant and fluid communication with all internal and external stakeholders (1). NIST strongly recommends seeking input from legal counsel before distributing public communications about the incident status or restoration (1). This is vital to meet communication expectations detailed in customer contracts or insurance policies (1). Coordination must include clear conversations with clients about data protection requirements and future communication expectations (1). For firms using MSSPs, periodic meetings during recovery allow clear definition of roles and authorizations for restoration activities (1).

9.3. Lessons Learned Management and Post-Incident Reporting (RC.RP-06)

The final phase of recovery is learning. Documenting lessons learned provides the business owner with strategic insights on how to minimize the chances of a similar incident occurring in the future (1). The firm should produce a report documenting the entire incident, detailing the response actions taken, the effectiveness of the recovery, and areas where processes failed or could be strengthened (1). An incident can reveal not only technical weaknesses but also business model weaknesses. For example, an e-commerce seller might learn that they relied excessively on a single marketplace platform and, after the incident, revise their plan to include alternative sales channels in case of future unavailability of the primary market (1). As the business adds complexity, recovery activities must involve multiple functional areas (communications, finance, legal), and in organizations with more resources, it may be necessary to hire crisis communication professionals to manage external messaging (1).

10. Discussion: Practical Application and Use Case Scenarios

Implementation of the CSF 2.0 is not a uniform process but must be adapted to the unique needs, resources, and missions of each organization (1). The appendices of NIST CSWP 50 provide three hypothetical use cases illustrating how different non-employer firms achieve specific cybersecurity outcomes (1).

10.1. Analysis of Case 1: Intellectual Property Attorney

This scenario focuses on an intellectual property (IP) attorney who manages highly sensitive data, such as patents and trade secrets (1). The governance and risk strategy includes identifying legal obligations from bar associations and state privacy laws (1). Due to the criticality of the information, the attorney evaluates cybersecurity insurance as a risk transfer measure (1). In asset management and protection, the attorney identifies cloud-based document management systems and legal research platforms (1). The principle of least privilege is applied, ensuring clients can only access their own information (1). Unlike other solopreneurs, this profile opts to contract an MSSP for 24/7 network monitoring (1). Facing a ransomware attack, the first action is to activate the response plan in coordination with the MSSP and regional FBI authorities (1).

10.2. Analysis of Case 2: E-Commerce Entrepreneur

This case describes a custom hat manufacturer operating through an online storefront (1). The primary risk identified is unavailability of the online store, which would directly impact revenue (1). The entrepreneur uses the Appendix G worksheet to inventory critical assets every six months (1). In terms of cyber hygiene, the entrepreneur uses a laptop dedicated exclusively to the business, limiting third-party access (1). Low-cost endpoint detection and response (EDR) tools are used to monitor anomalous activity (1). After suffering a denial-of-service (DoS) attack against the marketplace platform, the entrepreneur revises the business plan to consider alternative advertising and sales channels, thereby strengthening operational resilience (1).

10.3. Analysis of Case 3: International Business Consultant

The consultant works with global clients, introducing significant complexity in data management and supply chain (1). Contracts specify strict data handling requirements and non-disclosure agreements (NDAs) (1). The consultant must track when each client's data should be destroyed or sanitized according to contractual terms (1). Owning an office router, the consultant disables remote administration capabilities so that any change requires a physical Ethernet cable connection (1). Encryption is enabled on cloud backup services (1). A critical finding in this scenario is the initial resistance to testing data restoration due to fear of technical failure (1). The consultant decides to seek assistance from the cloud service provider to validate backups, demonstrating the importance of recognizing one's own limitations (1).

10.4. Support Tools: Implementation Methodology

To facilitate these outcomes, the source provides practical tools to systematize cybersecurity: (i) Inventory Worksheets (Appendix G) allow categorization of impact (low, moderate, high) on confidentiality, integrity, and availability for each asset (1); (ii) Response and Recovery Plan (Appendix H) structures an emergency contact directory (police, legal, insurance) and defines incident communication responsibilities (1); (iii) Authentication Worksheet (Appendix I) is a checklist to ensure MFA is enabled on banking, email, and customer management accounts (1).

11. Conclusions and Strategic Recommendations

11.1. Cybersecurity as a Pillar of Business Resilience

Cybersecurity risk management has ceased to be a technical option and has become a fundamental operational necessity for non-employer firms. Integrating the six CSF 2.0 functions—Govern, Identify, Protect, Detect, Respond, and Recover—provides a strategic and comprehensive view that enables solopreneurs not only to face threats but also to strengthen their market position. The desired cybersecurity outcomes described in this study should not be seen as a static checklist but as a dynamic process that must adapt to the mission, resources, and unique risk profile of each organization.

11.2. Competitive Advantage and Differentiation

Implementing robust cybersecurity practices acts as an enabler of business success and a positive differentiator. By protecting intellectual property, complying with legal and contractual requirements, and positioning itself as a trusted link in the supply chain, the firm increases the confidence of its customers and business partners. A mature security posture ensures that, when an incident inevitably occurs, the impact is minimized and operational resilience is maintained.

11.3. Priority Recommendations for the Non-Employer Firm

Based on the guidelines of the technical source, the following critical actions are recommended for immediate application:

• Basic cyber hygiene: Mandatorily enable phishing-resistant MFA on all banking, email, and management accounts.
• Asset management: Maintain an up-to-date inventory of hardware, software, and sensitive data to prioritize protection according to potential business impact.
• Preventive maintenance: Configure automatic updates and monthly security patches on all devices to mitigate exploitable vulnerabilities.
• Crisis preparedness: Develop and practice a simplified response and recovery plan that includes out-of-band (physical or isolated) emergency contacts.

11.4. The Imperative of Continuous Improvement and External Assistance

Cybersecurity requires a mindset of constant improvement as the business scales, technologies (such as artificial intelligence) evolve, and threats change. It is essential that the owner recognizes when technical complexity exceeds individual capacity and seeks assistance from experts, such as MSSPs, without forgetting that ultimate responsibility for data protection remains with the organization. Ultimately, a cybersecurity culture established early creates the necessary foundation for resilient and sustainable growth in the digital economy.

12. References

(1) National Institute of Standards and Technology. (2026). Small Business Cybersecurity: Non-Employer Firms (NIST Cybersecurity White Paper NIST CSWP 50 ipd). Gaithersburg, MD. https://doi.org/10.6028/NIST.CSWP.50.ipd

(2) National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST Cybersecurity White Paper NIST CSWP 29). Gaithersburg, MD. https://doi.org/10.6028/NIST.CSWP.29

(3) Quinn, S. D., Chua, J., Ivy, N., Gardner, R. K., Kent, K. A., Smith, M. C., & Witte, G. A. (2025). Integrating Cybersecurity and Enterprise Risk Management (ERM) (NIST Interagency or Internal Report NIST IR 8286r1). National Institute of Standards and Technology. Gaithersburg, MD. https://doi.org/10.6028/NIST.IR.8286r1

(4) Nelson, A., Rekhi, S., Souppaya, M., & Scarfone, K. A. (2025). Incident Response Recommendations and Considerations for Cybersecurity Risk Management: A CSF 2.0 Community Profile (NIST Special Publication 800-61, Rev. 3). National Institute of Standards and Technology. Gaithersburg, MD. https://doi.org/10.6028/NIST.SP.800-61r3

(5) U.S. Small Business Administration. (2024). Frequently Asked Questions About Small Business, July 2024. Office of Advocacy. https://advocacy.sba.gov/wp-content/uploads/2024/12/Frequently-Asked-Questions-About-Small-Business_2024-508.pdf

(6) U.S. Small Business Administration. (2019). A Look at Nonemployer Businesses. Office of Advocacy. https://advocacy.sba.gov/wp-content/uploads/2019/06/A-Look-at-Nonemployer-Businesses.pdf

(7) National Institute of Standards and Technology. (2020). NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0 (NIST Cybersecurity White Paper NIST CSWP 10). Gaithersburg, MD. https://doi.org/10.6028/NIST.CSWP.10

(8) Fisher, W., Craft, R. E., Ekstrom, M., Sexton, J., & Sweetnam, J. (2024). Data Confidentiality: Identifying and Protecting Assets Against Data Breaches (NIST Special Publication 1800-28). National Institute of Standards and Technology. Gaithersburg, MD. https://doi.org/10.6028/NIST.SP.1800-28

(9) National Institute of Standards and Technology. (2004). Standards for Security Categorization of Federal Information and Information Systems (Federal Information Processing Standards Publication NIST FIPS 199). Department of Commerce. Washington, DC. https://doi.org/10.6028/NIST.FIPS.199

(10) Stine, K. M., Kissel, R. L., Barker, W. C., Fahlsing, J., & Gulick, J. (2008). Guide for Mapping Types of Information and Information Systems to Security Categories (NIST Special Publication 800-60, Vol. 1, Rev. 1). National Institute of Standards and Technology. Gaithersburg, MD. https://doi.org/10.6028/NIST.SP.800-60v1r1

(11) Grassi, P. A., Garcia, M. E., & Fenton, J. L. (2017). Digital Identity Guidelines (NIST Special Publication 800-63-3). National Institute of Standards and Technology. Gaithersburg, MD. https://doi.org/10.6028/NIST.SP.800-63-3

(12) Stine, K. M., Kissel, R. L., Barker, W. C., Lee, A., & Fahlsing, J. (2008). Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices (NIST Special Publication 800-60, Vol. 2, Rev. 1). National Institute of Standards and Technology. Gaithersburg, MD. https://doi.org/10.6028/NIST.SP.800-60v2r1

(13) Barker, W. C., Fisher, W., Scarfone, K. A., & Souppaya, M. P. (2022). Ransomware Risk Management: A Cybersecurity Framework Profile (NIST Interagency or Internal Report 8374). National Institute of Standards and Technology. Gaithersburg, MD. https://doi.org/10.6028/NIST.IR.8374