Too many businesses treat cyberattacks like an act of God or extreme weather – something that is potentially devastating but nothing you need to think about on a day-to-day basis. But a cybersecurity breach is not like a fire, storm or explosion; it is an ever-present threat that only needs the slightest window of opportunity to breach a network.
We prefer to think of cybersecurity not as an act of God, but as a law and order issue. And, just like law enforcement, your IT team needs to be able to patrol for threats, identify potential intruders, and deploy appropriate deterrents or countermeasures when a threat is detected. Or, as the National Institute of Standards and Technology puts it: Identify, Protect, Detect, Respond and Recover.
How do you secure a modern networked, digital business? It’s a straightforward process. Think of it like a plan of action or escalation of force used by police officers. The way to mitigate risk and respond to cyberthreats is the same as any other law enforcement issue — as a program of vigilance and a plan for force escalation in response to identified threats and activities.
Law and Order on the Net
It’s easy to feel powerless and fearful, given that nameless, faceless criminals are probing your business for weaknesses. But the good news is that it’s possible to defend yourself. It’s not possible to eliminate cyberthreats entirely, but you can mitigate and control the exposures you may face. Thanks to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), cybersecurity is not a reactive, passive practice; it’s a process in which defenders continually monitor, assess and react to the threat environment faced and intelligently responding to threats and keeping data secured with well-established best practices.
According to Gartner, the NIST-CSF is used by approximately 30% of U.S. organizations and projected to reach 50% by 2020. The Gordon Flesch Company has adopted the NIST Framework, which is a set of activities, outcomes and references that provide detailed guidance for developing individual organizational profiles for cybersecurity. Through the Framework, an organization can align and prioritize its cybersecurity activities with its business requirements, risk tolerances and resources.
Identify, Protect, Detect, Respond, Recover
When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The CSF is not intended to be a series of steps performed in an order, rather, the Functions should be performed concurrently and continuously.
Once you adopt these five cybersecurity Functions, there are five repeatable steps you can take to implement this process. The following steps are not set in stone, but they are a basic framework for how an organization can create a new cybersecurity program or improve an existing one. As mentioned earlier, these steps should be repeated as necessary to continuously improve cybersecurity.
1. Identify your business and mission objectives and priorities. With this information, you can support the different business lines or processes within an organization, which may have different business needs and levels of risk tolerance.
2. Identify related systems and assets, regulatory requirements, and overall risk approach. This step needs to be taken once the scope of the cybersecurity program has been determined. The organization then tries to identify the vulnerabilities to those systems and assets.
3. Create a Current Profile of the company. Focus on risk tolerance, which should support the organization’s overall risk management process. Most important is assessing the likelihood of a cybersecurity event and the impact that the event could have on the organization. It is important that organizations identify emerging risks and use cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events.
4. Create a Target Profile that imagines the cybersecurity profile the company or organization would like to achieve. This step compares the Current Profile and the Target Profile to determine gaps. You’ll also need to determine the resources, including funding, staffing and outsourcing of services necessary to address the gaps.
5. Implement the plan based on realistic expectations. That means assessing the current cybersecurity practices and the steps needed to achieve the Target Profile.
We believe that the NIST Framework is a flexible, repeatable, performance-based and cost-effective approach to manage cyber risks. The Framework focuses on using business drivers to guide cybersecurity activities and to consider cybersecurity risks as part of the organization’s risk management processes.
The Framework enables organizations — regardless of size, degree of cybersecurity risk or cybersecurity sophistication — to apply the principles and best practices of risk management to improve security and resilience. The Framework provides a common organizational structure for multiple approaches to cybersecurity by assembling standards, guidelines and practices that are working effectively today.
For more details on how to proceed, the Gordon Flesch Company will publish a more comprehensive guide to the NIST Cybersecurity Framework. Look for more information in the coming days. In the meantime, contact the Gordon Flesch Company for a no-cost assessment and to learn more about how our Managed IT services can help secure your local or Cloud-based IT infrastructure.