Cybersecurity has become increasingly important to companies over the past several years. As technology continues to become more central to all areas of business, it is vital that companies consider cybersecurity not just as an IT function but as an integral part of their overall risk management strategy.
Small businesses are often faced with a dilemma; they are vulnerable to cyberattacks and other cybersecurity issues but often lack both the financial and human capital resources to properly mitigate the risks.
However small businesses cannot ignore the importance of cybersecurity and should have strategic initiatives to address the risk of cyberattacks and better protect their critical assets and operations.
The NIST Cybersecurity Framework – A Blueprint for Small Business
In 2014, the National Institute of Standards and Technology (NIST) introduced their framework for improving cybersecurity. The Framework provides businesses with a tool to help better assess their cybersecurity risks, manage and prioritize the actions to take to address those risks, and communicate the company’s cybersecurity approach to employees, customers and other key stakeholders.
A key benefit to the Framework is its flexibility; it acknowledges that businesses have different cybersecurity risks and resources to address them and as such it is designed to be adaptable to a number of different circumstances. It can be used as a guide for management to evaluate their current cybersecurity measures or as a blueprint for establishing a new cybersecurity program.
The Framework is divided into three main sections: The Framework Core, Implementation Tiers, and Profiles.
The Framework Core is a set of actions and goals for cybersecurity that are common across various types of organizations. It consists of five high level functions that outline the basic structure of a cybersecurity program. The functions are then broken down further into categories and subcategories that provide more specific actions and outcomes.
The five functions are as follows:
- Identify – This function looks to help companies better understand where their cybersecurity risks are located and how those risks impact the overall goals of the organization. Management can determine their available resources and capabilities and how a cybersecurity strategy aligns with other risk management processes.
- Protect – Various safeguards should be designed and implemented to address the cybersecurity risks previously identified. Examples of such protective actions are access controls over key information and assets, software solutions such as anti-virus software, and training for employees or other technology users.
- Detect – In addition to protecting against an attack, a cybersecurity program needs to have steps in place to identify a cyberattack when one occurs. This could include continuous monitoring of critical or vulnerable assets as well as regular analysis of data for unusual activity.
- Respond – It is important to define the actions that will be taken in the event of a successful cyberattack. A cybersecurity program should have clear guidelines on what should be done in such a situation and how an attack will be contained and stopped.
- Recover – A successful cyberattack could leave considerable damage to a company’s network and operations. This function in the framework addresses how a company will restore its systems and operations as well as recover its data subsequent to an attack.
Implementation Tiers and Profiles
The Framework also contains Implementation Tiers which are designed to group organizations by their level of cybersecurity risks and the practices and resources that are in place to address those risks.
The four tier levels are as follows:
- Tier 1: Partial – At this level an organization does not have a formal cybersecurity program and there has not been an organizational-level assessment of cybersecurity risk.
- Tier 2: Risk Informed – Businesses at this tier have some approved cybersecurity practices established and generally understand cybersecurity risks impacting the organization; however a company-wide approach to addressing those risks has not been established.
- Tier 3: Repeatable – This stage is where a company has developed a formal cybersecurity policy that addresses risk at all levels of the organization.
- Tier 4: Adaptive – Organizations at this tier continue to improve their cybersecurity practices and evaluate their activities to become more proactive regarding their cybersecurity risk management.
Management should determine what tier their organization is currently in and evaluate whether that is the appropriate level given their organization’s specific risks. While ideally a company should strive to be in at least Tier 2, management should only consider moving up if such a change would produce a reduction in cybersecurity risk equal to or greater than the associated cost.
In addition to the Implementation Tiers, the Framework also includes a section for Profiles. Profiles combine the results of the first two sections of the Framework into a snapshot of the current state of a cybersecurity program.
Organizations should create not only a current profile for their cybersecurity program but also a target profile that incorporates management’s goals for the program. The two profiles can then be compared to determine if the current cybersecurity program is achieving its desired result or if additional actions are necessary to obtain management’s goals.
READ MORE: Common Business Cyber Attacks – and How to Prevent Them
Using the Framework to Develop a Cybersecurity Program
As mentioned earlier, the Framework can be used by management as a roadmap to developing a cybersecurity program that meets the needs of the organization. The NIST provided a seven step process that organizations can use to develop their cybersecurity program:
- Step 1 – Prioritize and Scope – Management should first establish the mission for the program and the available resources that can be committed to the program
- Step 2 – Orient – An evaluation of the various cybersecurity risks to the organization should be performed to identify the areas of highest risk and the approach to mitigating those risks.
- Step 3 – Create a Current Profile – As noted above, management should review the current state of their cybersecurity program or any measures already in place to address cybersecurity risk.
- Step 4 – Conduct a Risk Assessment – An analysis of the risk of a cyberattack and its potential impact on operations should be conducted to determine where the weaknesses in the current protocol may exist.
- Step 5 – Create a Target Profile – Management should then take the results of their risk assessment and develop a profile that would properly address those risks given the resources available for the program.
- Step 6 – Determine, Analyze, and Prioritize Gaps – The organization’s current and target profile should then be compared to identify gaps in the current procedures and prioritize where resources should be allocated to address those deficiencies and better align with the target profile.
- Step 7 – Implement Action Plan – The final step requires management to take action on the issues previously identified to make improvements to the program and work towards achieving management’s specific objectives.
The NIST Cybersecurity Framework offers practical guidance for developing or improving a cybersecurity program and can be adopted by almost any organization. The Framework is well-suited for small business since its flexibility allows organizations to determine the suitable risk profile and action plan given their particular circumstances and budget.
It provides companies with clear guidance on how to establish a cybersecurity program that evaluates the risks across the whole organization, determine the appropriate actions to protect, detect and recover from cyberattacks, and communicate management’s approach with others parties both inside and outside the business.