Small advisory firms and their small-business clients can probably recite in their sleep the usual guidance proffered against hackers: use unusual passwords and change them often, and don’t click on links and attachments you weren’t expecting, even from people you know.

But the National Institute of Standards and Technology (NIST) has a somewhat different take on cybersecurity worth taking for businesses that can’t spend zillions on protection.

While part of the conventional wisdom for cybersecurity is to do background checks on incoming employees, NIST said in a recent report that the first review should be done of the owner/boss.

“Consider doing a background check on yourself,” NIST urged. “Many people become aware that they are victims of identity theft only after they do a background check on themselves and find reported arrest records and unusual previous addresses where they never lived. This can be an indication that your identity has been stolen.”

NIST also recommended the dicta that employees have access to only the specific information they need to do their jobs be applied to everyone in the company, including executives and senior managers.

It is well recognized hackers can scare away customers.

The NIST report stated hacks can damage a person's credit to the point that their business can’t get a loan from a bank and can lead to a decline in worker productivity.

The good news, according to NIST, is elemental low-cost or no-cost protections can be effective because although some cyber criminals are becoming more sophisticated, most are not.

Furthermore, said the study, a strong information security program can help a small business gain and retain customers, employees and business partners.

New cybersecurity technologies "can lower costs while delivering better services to your customers … and provide access to more high-profile targets through its products, services or role in a supply chain,” the report said.

A good starting point for a small-business owner is to do a cyber risk assessment by creating a list of computerized information the business has and ranking its importance from none to highest on a scale of 0 to 3. Then ask the following questions about each data holding:

• What would happen to my business if this information was made public?
• What would happen to my business if this information was incorrect?
• What would happen to my business if I/my customers couldn’t access this information?
• What would be the cost to my business if the information is obtained by hackers?
• What would be the cost of loss of access to this information?

Another piece of advice NIST gave is don’t go overboard in buying and installing computer programs.

“Only install those applications that you need to run your business Any software application including operating systems, firmware, or plugin installed on a system could provide the means for an attack,” said NIST.