As 2016 comes to an end, many are looking for what they can do to improve their business in the coming new year. Streamlining processes, improving customer relationships, and investing in technology may be on your list. What about improving the security of your data and having a real plan in case disaster strikes? Having a plan of action following a cyber attack could mean the difference between recovery and not making plans for your business in 2018. Fortunately there is an outline that you can follow.
What Is Executive Order 13636?
Executive Order 13636 ordered the National Institute of Standards and Technology to develop a system for organizations within the United States to assess and improve their understanding of cyber risk. As part of a nationwide push to improve the country’s cybersecurity practices, the National Institute of Standards and Technology (NIST) has issued a framework that organizations of all shapes and sizes can use to review and improve their key cyber infrastructure.
The NIST Framework Aims At
- creating a standardized ways for companies to review their current systems
- assess the risk exposures of those systems
- establish appropriate risk tolerances for each system
- create procedures for monitoring and improving their cyber defenses
Creating Your Company's NIST Framework
The Framework can at first glance seem complicated and in-depth for smaller organizations. It has three key elements:
The Framework Core involves five key functions, each of which breaks down into smaller subcategories.
The Framework Implementation Tiers explains what risks are possible from the profile and the degree of reaction needed to be taken by the organization.
The Framework Profile involves two different profiles operating amongst different standards, guidelines, and practices across distinct cyber categories. Companies use a seven step process to create, implement, and monitor these three elements. Each of these concepts would constitute the bulk of a single article in of themselves.
What About Small Businesses?
Smaller companies can still implement many of the key concepts behind the NIST framework. Ultimately, NIST boils down to some ultimately simple steps.
- Identify key assets, systems, threats, and vulnerabilities
- Assess current policies, standards, guidelines, and positioning
- Define key goals and targets and steps for achieving those goals and targets
- Continuously monitor your cyber structure for efficiency and improvement
What If I Do Not Comply?
The NIST framework involves no regulatory requirements or legal obligations. It has no comprehensive standards for everyone to follow, such as data privacy or civil liberties standards. Some critics consider these elements a major failing of the NIST framework. Others view it as a key asset since it gives everyone the ability to implement the framework according to their own needs and abilities. NIST focuses instead on trying to shift organizations from a reactionary mindset to one of proactive risk management. This means cultivating a culture of risk assessment and management within organizations by asking them to ask certain key questions.
A Wide Scale Of Risks For Businesses
Cyber risks continue to increase. These risks include a wide array of different exposures and threats. They include cybercrime, espionage, and hacktivism. Attacks range from simple forms of social engineering scams to complicated server attacks. Targets may range from the theft of customer personal information to shutting down a company’s information technology hardware to the theft of intellectual property and trade secrets. Companies need to understand their cyber risk exposures and their potential for loss across all potential targets and assets. Having a dedicated structure for identifying, managing, and monitoring these risks in a cost-effective manner can help give companies a competitive edge in the digital marketplace.
As cybersecurity concerns continue to make news and the economic losses from cybercrime continue to rise, companies are asking themselves what cost-effective steps they can take to improve their cybersecurity plans... and the NIST Framework seems to fit the bill
