As 2016 comes to an end, many are looking for what they can do to improve their business in the coming new year. Streamlining processes, improving customer relationships, and investing in technology may be on your list. What about improving the security of your data and having a real plan in case disaster strikes? Having a plan of action following a cyber attack could mean the difference between recovery and not making plans for your business in 2018. Fortunately there is an outline that you can follow.
Executive Order 13636 ordered the National Institute of Standards and Technology to develop a system for organizations within the United States to assess and improve their understanding of cyber risk. As part of a nationwide push to improve the country’s cybersecurity practices, the National Institute of Standards and Technology (NIST) has issued a framework that organizations of all shapes and sizes can use to review and improve their key cyber infrastructure.
The Framework can at first glance seem complicated and in-depth for smaller organizations. It has three key elements:
The Framework Core involves five key functions, each of which breaks down into smaller subcategories.
The Framework Implementation Tiers explains what risks are possible from the profile and the degree of reaction needed to be taken by the organization.
The Framework Profile involves two different profiles operating amongst different standards, guidelines, and practices across distinct cyber categories. Companies use a seven step process to create, implement, and monitor these three elements. Each of these concepts would constitute the bulk of a single article in of themselves.
Smaller companies can still implement many of the key concepts behind the NIST framework. Ultimately, NIST boils down to some ultimately simple steps.
The NIST framework involves no regulatory requirements or legal obligations. It has no comprehensive standards for everyone to follow, such as data privacy or civil liberties standards. Some critics consider these elements a major failing of the NIST framework. Others view it as a key asset since it gives everyone the ability to implement the framework according to their own needs and abilities. NIST focuses instead on trying to shift organizations from a reactionary mindset to one of proactive risk management. This means cultivating a culture of risk assessment and management within organizations by asking them to ask certain key questions.
Cyber risks continue to increase. These risks include a wide array of different exposures and threats. They include cybercrime, espionage, and hacktivism. Attacks range from simple forms of social engineering scams to complicated server attacks. Targets may range from the theft of customer personal information to shutting down a company’s information technology hardware to the theft of intellectual property and trade secrets. Companies need to understand their cyber risk exposures and their potential for loss across all potential targets and assets. Having a dedicated structure for identifying, managing, and monitoring these risks in a cost-effective manner can help give companies a competitive edge in the digital marketplace.
As cybersecurity concerns continue to make news and the economic losses from cybercrime continue to rise, companies are asking themselves what cost-effective steps they can take to improve their cybersecurity plans... and the NIST Framework seems to fit the bill