NIST CSF 2.0 Protect Function for Small & Mid-Size Businesses

The Protect function is where cybersecurity gets tangible. While Govern and Identify are about understanding and planning, Protect is about implementing the actual safeguards that reduce your cybersecurity risk. It is the function most people think of when they hear "cybersecurity." In NIST CSF 2.0, the Protect function has five categories: PR.AA — Identity Management, Authentication, and Access Control. Ensuring only authorized people can access your systems and data, using strong authentication methods. PR.AT — Awareness and Training. Making sure your people know how to recognize and avoid cybersecurity threats. PR.DS — Data Security. Protecting the confidentiality, integrity, and availability of your data throughout its lifecycle. PR.PS — Platform Security. Hardening your hardware, software, and services to reduce vulnerabilities. PR.IR — Technology Infrastructure Resilience. Ensuring your technology infrastructure can withstand and recover from adverse events. For small businesses, the Protect function often feels overwhelming because there are so many potential controls to implement. The key is prioritization: start with the controls that address your highest risks (identified in the Identify function) and provide the most protection per dollar invested.

If you implement only one security control, make it access control with MFA. Compromised credentials are the number one attack vector for small businesses, and strong access control stops the majority of attacks cold. Multi-factor authentication (MFA) is non-negotiable. Enable it on every system that supports it: email, cloud applications, VPN, remote desktop, practice management software, banking portals, and social media accounts. Prefer authenticator apps (Microsoft Authenticator, Google Authenticator) or hardware keys (YubiKey) over SMS-based MFA, which can be intercepted via SIM swapping. Least privilege means giving each person access only to the systems and data they need for their job — nothing more. An office manager does not need access to server administration. A junior associate does not need access to all client files. Review access permissions quarterly and immediately when someone changes roles or leaves. Unique accounts are essential. No shared accounts, no generic logins, no "office" email addresses used by multiple people. Every user must have their own account with their own credentials. This enables audit trails and makes access revocation possible. Password policies should require strong, unique passwords (12+ characters) and prohibit password reuse. Better yet, implement a password manager (Bitwarden, 1Password) for your team so that strong, unique passwords become the path of least resistance. Cyber Defense Agent verifies your external access control posture by checking for exposed login portals, default credentials on web interfaces, open remote access ports (RDP, SSH, VNC), and proper authentication configurations.

The best technical controls in the world fail if your people click on phishing links, use weak passwords, or share sensitive data inappropriately. Security awareness training is the Protect function's human element. Training does not need to be expensive or time-consuming. For a small business, here is what works: Phishing awareness is the single most important topic. Over 90% of successful cyberattacks start with a phishing email. Train your team to: verify sender addresses (not just display names), hover over links before clicking, be suspicious of urgency and emotional manipulation, and report suspicious emails to your security lead. Run periodic simulated phishing tests — free tools like GoPhish or affordable services like KnowBe4 can do this. Password hygiene training covers: why unique passwords matter, how to use the company password manager, why MFA protects them, and what to do if they suspect their password has been compromised. Data handling training covers: what data is sensitive, how to store it securely, how to share it securely (encrypted email, secure file transfer), and what to do with data when it is no longer needed (secure deletion). Incident reporting training covers: what constitutes a security incident, who to report it to, and the importance of reporting immediately rather than trying to fix it yourself. Create a culture where reporting is rewarded, not punished. Frequency: conduct formal training annually and supplement with monthly micro-trainings (a 5-minute email or video on a specific topic). Document all training for compliance evidence.

Data security and platform hardening are the technical backbone of the Protect function. Here is what matters most for small businesses. Encryption protects data at rest and in transit. For data in transit, ensure all websites use HTTPS (TLS 1.2+), all email is transmitted over encrypted connections, and any VPN or remote access uses strong encryption. For data at rest, enable full-disk encryption on all computers (BitLocker on Windows, FileVault on Mac), encrypt backups, and verify your cloud providers encrypt stored data. CDA verifies your TLS configuration and encryption posture in every scan. Email authentication prevents attackers from spoofing your domain to phish your employees or customers. Implement SPF (Sender Policy Framework) to specify which servers can send email for your domain, DKIM (DomainKeys Identified Mail) to digitally sign outgoing emails, and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to tell receiving servers what to do with unauthenticated emails. CDA checks all three in every scan and provides specific remediation guidance. Security headers protect your website visitors. Implement Content-Security-Policy (CSP), HTTP Strict Transport Security (HSTS), X-Content-Type-Options, X-Frame-Options, and Referrer-Policy. These headers prevent common web attacks like cross-site scripting (XSS), clickjacking, and content injection. CDA checks for all recommended security headers. Patch management is unglamorous but critical. Unpatched software is one of the most exploited vulnerability categories. Enable automatic updates on all operating systems and applications. For systems that cannot auto-update, maintain a patching schedule — at minimum monthly, with critical patches applied within 48 hours. Backups are your last line of defense against ransomware. Follow the 3-2-1 rule: three copies of your data, on two different media types, with one copy offsite. Test your backups quarterly by performing a practice restore. An untested backup is not a backup.