An unexpected discovery: Human error is one of the biggest cybersecurity risks. Here is how small businesses can build a stronger defence against Cyber threats.

The beginning of my exploration into cybersecurity frameworks for small businesses, I was expecting to find very complex solutions listed as defences against cyber threats. However, my thesis revealed that something unexpected, 68% of breaches happen because of human error. For example, using weak passwords, clicking phishing link and not having access control. This is why one of the best cybersecurity strategies against cyber threats is about people, leadership and affordable controls.

I will be sharing key insights from my thesis which was a hybrid cybersecurity framework that combined the best of the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), International Organization for Standardization (ISO) 27001, and CEO engagement from the Cybersecurity and Infrastructure Security Agency (CISA) all aimed to small businesses with limited resources.

Why Are Small Businesses Targeted the Most

Small businesses can be defined as any startup business, lacking experience and having limited resources including a budget to obtain skilled personnel and a cyber security team to shield themselves. Small Businesses owners often assume that hackers only go after big organizations. Data shows that 60% of small businesses shut down within six months of a major cyberattack (Verizon, 2024). This is because attackers know that small businesses most likely lack dedicated Cybersecurity teams, Use outdated systems and their employees lack training in these matters.
My exploration analysed real world breaches and found that ransomware attacks have increased by 32% since 2018. The biggest vulnerability being human error, weak passwords, outdated systems, unpatched software and poor access control.

A Hybrid Framework Key Ingredients

Most cybersecurity frameworks are either too expensive like the full ISO 27001 certification or too unclear like the NIST guidelines. My thesis proposes a hybrid approach by mixing the best suitable parts form each framework that will meet the unique needs of small businesses.

1. NIST CSF

The National Institute of Standardization Technology cybersecurity framework provides a risk-based approach with five core steps:

• Identify – what are our risks?
• Protect – how do we secure our systems?
• Detect – can we discover threats early?
• Respond – what’s our incident plan?
• Recover – how do we bounce back?

This framework is free and adaptable, meaning it is more suitable for small businesses.

• ISO 27001

ISO 27001 is a globally recognised standard offering in-depth information, but its full certification can cost over ten thousand US dollars. Instead, small businesses can adopt key elements:

• Regular risk assessments (Find the weak spots before attackers do)
• Access controls (Require multi-factor authentication)
• Employee training (Stop phishing attacks before they happen)

This framework is best for businesses handling sensitive data like customer information and payments.

• CEO engagement from CISA

Most frameworks ignore leadership’s role, but my thesis found out that companies with a CEO driven cybersecurity culture had 50% fewer breaches. The key CEO actions involved:

• Appointing a cybersecurity manager (Even part-time)
• Participating in incident drills (Practice makes perfect)
• Fund essential tools and support the cybersecurity team

Data shows that a CEO who mandates quarterly phishing tests reduces click rates by 80%.

• Implementation roadmap

Figure 1 outlines a 12-month phased implementation strategy, synthesizing NIST CSF’s Quick Start Guide 2023, CIS Small Business Guide and ISO 27001’s templates. Designed to for a resource constrained environment, this roadmap prioritizes CIS controls deployment while building toward long term goals like ISO certification.

Figure 1Security Framework Implementation strategy

Recommendation: Use free tools like Wazuh (https://wazuh.com/) which is an open-source threat detection tool to monitor systems.

The main lesson: Cybersecurity is more of a culture and not just a tool

I learned that Technology alone will not stop attackers from getting into our systems, but people can. Small businesses cannot afford expensive security tools and skilled personnel, but they can train employees, prioritize cheap, effective controls like multi-factor authentication and backups, they can get the leadership involved and build a strong cybersecurity culture.

Cybersecurity threats will not end, but with this hybrid framework, small businesses have a chance to fight back without needing a big budget.

More information can be found in my thesis report.

Thsesis in Theseus: https://urn.fi/URN:NBN:fi:amk-2025052817430