NIST Cybersecurity Framework Made Simple: A Small Business Walkthrough

The NIST Cybersecurity Framework has a reputation for being a document written by government agencies for large enterprises. That reputation is mostly undeserved — and ignoring it is costing small businesses money.

Cyber insurance underwriters increasingly ask whether you follow a recognised security framework. Saying yes, backed by evidence, can lower your premium and improve your chances of a payout when you need to make a claim. The NCSC’s Cyber Essentials scheme covers similar ground from a UK-specific angle, and many UK insurers respond well to businesses that demonstrate both.

NIST updated the framework to version 2.0 in 2024, adding a sixth function (Govern) to the original five. Here’s what each function means and what a non-technical business owner can actually do about it.

What the NIST CSF 2.0 is — and is not

The NIST Cybersecurity Framework is a set of guidelines, not a legal requirement. No law in the UK mandates that a small business follows it. It’s a structured way of thinking about cybersecurity risk, organised around six core functions.

Think of it as a health checklist for your business’s security posture. You’re not penalised for having a gap — but knowing about it means you have a plan. And plans matter when you’re talking to insurers.

The six functions, translated for small business

1. Govern

What it means: Establish who’s responsible for cybersecurity decisions and how security fits into your overall business strategy.

In a five-person business, this probably means you. Assign one named person — even part-time — as the owner of security decisions. Write a one-page security policy that states what data you protect, who’s responsible, and what employees must do. Review cyber risk at least once a year the same way you review financial risk.

The NCSC’s Small Business Guide (free at ncsc.gov.uk) includes a simple policy template that takes about an hour to complete.

2. Identify

What it means: Know what you have, what matters, and what the risks are.

Create an asset inventory — a list of every device (laptops, phones, printers, smart devices) and every software system you use. Identify which assets hold sensitive data: customer records, financial data, payment information. Map who has access to each sensitive system. Do all your employees need access to your accounting software, or just two people?

A spreadsheet is fine. The goal is awareness, not sophistication.

3. Protect

What it means: Put controls in place to limit the impact of a potential attack.

This is the most action-heavy function, and where most small businesses should spend the most time. Enable MFA on every account that supports it. Apply the principle of least privilege — give employees access to only what they need. Ensure all devices have automatic updates enabled. Deploy endpoint protection on all staff devices. Train staff to recognise phishing emails at least annually. Back up critical data following the 3-2-1 rule. Use a business-grade firewall and ensure Wi-Fi is properly segmented.

If you could only do one thing from this list, it’s MFA. But do the others too.

4. Detect

What it means: Have the ability to notice when something is going wrong.

Enable logging in your key systems — Microsoft 365 audit logs, Google Workspace activity reports, or your firewall logs. You don’t need to read them daily, but they need to exist for when you need to investigate. Set up alerts for suspicious events: multiple failed login attempts, logins from unusual countries, bulk file downloads.

Small businesses often skip detection because it feels reactive. But knowing about a breach within hours rather than months dramatically limits the damage.

5. Respond

What it means: Know what to do when something goes wrong — before it happens.

Write a one-page incident response plan. It should answer: who do we call first? Who has authority to take systems offline? Who do we notify — customers, the ICO, our insurer? Store it somewhere accessible when your systems are down — a printed copy, or a personal email account outside company infrastructure.

Know your cyber insurance policy number and claims hotline. Have your IT provider’s emergency number to hand. In the UK, report cyber incidents to Action Fraud (actionfraud.police.uk) and, for significant incidents affecting your sector, to the NCSC.

6. Recover

What it means: Get back to normal operations as quickly as possible after an incident.

Test your backups. A backup you’ve never restored is a backup you cannot count on. Restore a test file quarterly — it takes five minutes and could save your business. Document your recovery time objective: how long can your business operate without access to its key systems?

After any security incident, even a minor one, hold a brief post-mortem: what happened, why, and what one thing would prevent it recurring?

Using the NIST CSF for cyber insurance applications

UK cyber insurance application forms increasingly include questions directly mapped to the NIST CSF. Insurers want to know whether you have MFA on email and critical systems, whether you maintain tested backups, whether you have an incident response plan, whether you conduct security awareness training, and whether you have a patching and vulnerability management process.

Working through the framework before your application means you can answer “yes” to more questions with evidence. And every “yes” needs to be real — insurers deny claims for material misrepresentation.

Your one-page NIST CSF action plan

One action per function. Six items. That’s a materially stronger security posture than most small businesses in your sector — and it’s evidence you can present to an insurance underwriter, a prospective client, or the ICO.

The NIST CSF isn’t about perfection. It’s about being deliberate. Start where you are, document what you do, and improve one function at a time.