So, you’ve detected a cyber security threat to your company. What do you do? How do you respond to it? You have to think fast. Your company could suffer even greater profit losses. You may need to go to court…
According to this survey, 69% of business executives expect to be in this spot—identifying an attempted theft or corruption of data within this year. The good news is, you’re not alone. The bad news is, if you’re in this position without a set framework and company policy in place, you will be extremely stressed (even panicked). However, know that your company doesn’t have to suffer from detrimental financial, legal, and reputational losses.
Yes, cyber security threats are increasing, and the federal government is well aware of this. In 2013, Presidential Executive Order (EO) 13636 on Improving Critical Infrastructure Cybersecurity was issued. In a nutshell, the order instructed the National Institute of Standards and Technology (NIST) to develop a set of cyber security standards and best practices for critical infrastructures, with the help of experts in the private sector. Fast forward a year ahead, in February 2014, the NIST cyber security framework (or NIST CSF) was created.
While designed for critical infrastructures in America, this cyber security framework can apply to any American company. Any company that adopts this framework, especially the NIST CSF response portion, can be assured of faster response times and less damages in case a security breach happens.
Read on to learn in detail what the NIST cyber security framework is, who needs it, the benefits of having it, and how adopting it can protect you and your company from successful cyber security attacks.
What Is NIST CSF?
We touched upon this earlier, but let’s dive more into detail. The United States runs on 16 critical infrastructures. (In case you don’t know, a critical infrastructure is a necessary service that makes up American society. Think of it as the backbone or crux.) These critical infrastructure sectors include:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
If one of these critical infrastructures were compromised, American society would be compromised as well. Because of the advancements of technology, cyber attacks have become a critical threat to these infrastructures. The federal government realized that a cyber attack was one of the last systemic threats to the US, which is likely why the EO was issued and the NIST CSF was created.
In creating the cyber security framework, the NIST worked with over 3,000 experts in the private sector to develop guidelines and best-practice standards that could be used as dependable cyber security protocols for critical infrastructure. However, any private company can adopt them—whether only a small section of the guidelines or a majority of the cyber security framework. Because, unlike HIPAA or PCI, the NIST cyber security framework is voluntary.
The NIST CSF is comprised of 5 key functions: identify, protect, detect, respond, and record.
For this function, a company would need to locate all assets that need cyber security, essentially identifying vulnerabilities. These range from slight to extremely vulnerable.
After identifying the company’s vulnerabilities, the NIST CSF calls for proactive steps in protecting them from cyber threats. To “get the most bang for your buck,” companies would assign the appropriate level of protection to each asset—the more vulnerable requiring more security; the least vulnerable, the lowest amount. This veers away from the old-school protection mindset, where protection was set up around the perimeter of the asset. Instead of this defensive method, this function involves a proactive, detection mindset, where steps are taken to find the cyber threat before the attacker gets the target.
This function involves creating logs, identifying baseline behavior, and activity patterns. This is critical since companies need to know what user behaviors and activities are normal. After establishing a baseline, they can then have an easier time detecting abnormalities, which may be potential cyber threats.
This is where the proper approach comes in place. Companies can devise an internal and external communications plan to follow should a cyber attack occur.
When a successful cyber attack happens, this function allows companies to recover from the damage. Lessons are learned. Companies look into what they could have done to mitigate it. From there, they improve their cyber security protocols and strategic programs to combat cyber attacks in the future.
Who Needs It
Of course, anyone within the critical infrastructures. But, as we have mentioned before, any company can adopt this cybersecurity framework. Fortunately, lot of private and public American companies have i because it represents years of cybersecurity work from NIST employees and 3,000+ experts within the private sector.
Why Adopt The NIST CSF
Highly Reliable Resource
Like we said, many companies adopted this framework because NIST employees and thousands of experts have put a year’s worth of work into establishing these best-practice standards and proven methods. If this many experts have worked together and this framework was intended to protect the backbone systems of the US, it should be considered very reliable. Why wouldn’t it be able to assist in a company’s cyber security?
This is the first time a framework has been written in common English, without the use of technological jargon. This was done so anyone can read and understand it—from the board of a company, to the IT department, to the administration. This helps tremendously because more people can communicate about cyber risk.
Like ITIL, this cyber security framework is voluntary to adopt. Businesses can pick and choose which parts fit best for their needs and goals. When businesses evolve, certain parts of the framework can be excluded, while other portions can be added.
NIST CSF is a flexible (and living) document. It is not a one-size-fits-all, and it is not recommended to treat it as such. These are guidelines, not regulations. The framework has the ability to fit in nearly any business model, plan, or policy.
This cyber security framework helps decrease a company’s vulnerabilities from cyber attacks. This means less damage control in profit loss, reputation, and legalities.
NIST cyber security framework will only become more integral in American business, as studies estimate that half of all US companies will be using this cyber security framework by 2020.
For more information about the NIST cyber security framework and similar strategic programs, contact CBI.