In 2013 President Obama recognized the importance of cybersecurity and issued an executive order titled “Cybersecurity/ Presidential Policy Directive on Critical Infrastructure Security and Resilience”. This was in response to numerous devastating cyber-attacks against the Federal Government and private businesses. In May 2017 President Trump reaffirmed this executive order thus erasing any doubt as to the order’s importance. No matter on which side of the political aisle you sit, cyberattacks against government and business in the United States are a serious matter.
Companies of all sizes face the same risks from cyberattacks;
- Financial
- Reputational
- Regulatory and Compliance
- Legal
The government recognized this fact and knew protecting businesses and critical infrastructure would need a new approach.
As part of President Obama’s directive, a mandate was issued for the National Institute of Standards and Technology (NIST) to create a new framework for cybersecurity, and thus the NIST Cybersecurity Framework (CSF) was released. This framework provides;
- A common language and structure across all industries
- Opportunities for collaboration amongst public and private sectors
- The ability to demonstrate due-diligence and due-care by adopting the framework
- Greater ease in adhering to compliance regulations or industry standards
- Improved cost efficiency
- Flexibility in using any existing standards such as HITRUST, NIST 800-53, ISO 27002, etc.
But, not all companies are created equal in how they are able to respond, remediate, and recover from a hack against their data and intellectual property.
Adopting the NIST CSF allows you to improve your cybersecurity program, demonstrate your adherence to leading security practices, as well as help shift your organization to be proactive about security risk management. The CSF is organized into 5 functions;
- Identify
- Protect
- Detect
- Respond
- Recover
Each function has subcategories with security controls and outcomes. With each subcategory there are “informative resources” referencing many other adopted security standards.
Although the CSF provides a vehicle for easier understanding of security risk, mitigating controls, and the ability to report to executive leadership, governance, board of directors etc. it does not come with an easy button for how to assess your current security maturity. Expertise in cybersecurity, often through outside resources can be very helpful in understanding your environment and how you measure up to the CSF functional areas. An example is detecting cyber risk. Fending off hackers takes a high level of skill due to hackers’ increasing sophistication in avoiding traditional security technologies such as firewalls and anti-virus software. A more robust approach is needed, but purchasing advanced tools can be expensive. Expensive enough, in fact, that an effective cybersecurity function could be out of reach altogether. This is especially true for small to medium sized businesses (SMB). Furthermore, high levels of technical expertise are needed to maximize the tools’ effectiveness. SMBs are very often subject to the same attacks as fortune 500 companies due to the fact hackers know small businesses cannot fend off these attacks as effectively. A staggering 50% of SMBs, defined as between 100 to 1000 employees, suffered at least one cyber-attack over the past 12 months.
SMBs are at a huge disadvantage, but all is not lost. By adopting, implementing, and measuring your companies security posture using the NIST CSF, as well as employing robust monitoring and alerting of security threats, your business will be able to better defend against this ever increasing risk. What cannot be done is ignore the threat, or think “it cannot happen to me” or “why would anybody attack us?” History has shown that is everybody is a target.
GRCential has the expertise and understanding of the NIST cybersecurity framework to be your trusted partner in helping fight back against this ever-increasing risk to your business.
Have a question? Want to share your story? Contact Us