Organisations regardless of size, need to have a risk management system in place. However, most globally recognized risk management standards are voluminous with stiff regulations, expensive and totally unsuited for Small and Medium-Sized Enterprises (SMEs). This makes it difficult for these enterprises to acquire, implement and maintain adherence to the framework, leading to many of them forgoing control frameworks entirely, rather than choosing to wait until the enterprise expands and risk needs grow.
This conundrum could have resulted in a steady security decline for small enterprises, but that’s where NIST-CSF comes into the picture. NIST understands that businesses aren’t equal, and that small and medium-sized enterprises (SMEs) in particular, are usually lacking in resources, to sufficiently and effectively manage risk. So, the CSF was created especially with SMEs in mind.
Now with this flexible, cost-efficient framework, organizations can save time, and costs and maximize the benefits. Compliance isn’t mandatory but SMEs can use this framework to assess their cyber risks and still set plans for improving or maintaining their security posture over time. In fact, the CSF allows room for growth so organizations can expand over time depending on the business requirements and emerging risks.
Core Functions of NIST Cybersecurity Framework (NIST-CSF)
With just 5 core processes, and basic cybersecurity activities organized into functional steps, the framework defines a set of best practices that enables IT organizations to effectively manage cybersecurity risks. These processes are simple, unambiguous and non-too technical, allowing for every stakeholder to understand.
This function helps the organisation develop an understanding of its business and potential cybersecurity risks. It serves as the foundation for an effective risk management program, ensuring that the strategies and measures adopted to tackle risks, actually align with the organisation’s needs.
The factors needed to be identified and taken into consideration are:
- physical and software assets
- the organization’s business environment including its role in the supply chain
- asset vulnerabilities
- threats to internal and external organizational resources
- established cybersecurity policies and existing controls
The next step is to take corresponding precautions for the risks identified and work to limit the impact of a potential cybersecurity incident.
This function outlines appropriate safeguards and some of these include:
- Setting up access control mechanisms
- Organization of security awareness training for employees
- Updating security software regularly, automating where possible for increased efficiency
- Having a strong data security protection mechanism in place, encryptions, regular backups, security policies etc.
- Constant maintenance, including remote maintenance activities
- Ensuring business resilience through a network of technology, processes, policies etc.
With these safeguards in place, and some more tailored to an organization’s needs, the enterprise is properly outfitted and secured up to standard.
Even though there are protective mechanisms in place, an organization cannot completely prevent threat events. The key is timely detection when they do occur. Therefore certain processes need to be in place to ensure that an attack is controlled and contained early.
Some of these are:
- Ensuring anomalies and events are detected, and their potential impact is understood
- Continuous monitoring and effective alert systems (including checking one’s network for unusual activities and traffics, IDS, and monitoring physical and software assets)
- 24/7 perimeter security to avoid being caught unawares
Now that the event has been detected, appropriate action needs to be taken, and the impact contained.
This can be done by:
- Ensuring swift incidence response, during and after the event
- Performing mitigation activities to prevent the expansion of an event and to resolve the incident
- Reporting the attack to law enforcement and other authorities.
- Analyzing the incident to ensure effective response and supporting recovery activities including forensic analysis and determining the impact of incidents
- Efficient communication with all stakeholders
- Continually making improvements to the organization’s security strategy by incorporating lessons learned from current and previous detection/response activities
An organization should be resilient even in the face of attacks and cyber incidents. They should be able to recover back to normal working capability as soon as possible, stronger and wiser for it. Some steps can ensure an enterprise bounces back as soon as possible:
- There should be a continuous backup and recovery system in place so that in case of loss or damage from cyber events, the cost wouldn’t be dire.
- Repairing and restoring assets and resources affected.
- Keeping all stakeholders (employees and clients) informed of the response and recovery activities employed. Transparency is important.
- Updating your cybersecurity policy and plan with lessons learned.
- Implementing other improvements and reviewing existing strategies, continually updating and strengthening the risk management system.
The National Institute of Standards and Technology (NIST) once stated; “Because small businesses typically don’t have the resources to invest in information security the way larger businesses can, many cybercriminals view them as soft targets”. To a small business, a strong cybersecurity program is often seen as a task too difficult because of the resource requirements.
This framework was a response to this. A solution. Exquisitely designed to reduce risk by improving the management of cybersecurity risk to organizational objectives. Over time, NIST CSF helps organizations develop a more rational, effective, approach to cybersecurity strategy and investment.
As an SME, don’t snooze on this. Start off your risk management journey today by reaching out to CyberPlural MSSP.