NIST Cybersecurity Framework: Keeping Your Business Safe in an Unsafe IT Ecosystem

The Rising Strategic Risk of Cyberattacks

As the world continues to embrace technology and its many advantages, business also has begun to rely more and more on technology, storing large amounts of sensitive data electronically. The ease at which computers can store and access information is a major reason for the shift toward massive electronic storage and with the efficiencies that computers bring to the market, a new area of risk has been inadvertently created.
Evidently, cyber criminals today are increasingly leveraging malware, bots and other forms of sophisticated threats to attack organizations for various reasons – financial gain, business disruption or political agendas. In many cases, they often target multiple sites and organizations to increase the likelihood of an attack’s initial success and viral spread. With new variants of malware being generated on a daily basis, many companies struggle to fight these threats separately and the majority of attacks are often left undetected or unreported.
Cybercriminals are also no longer isolated amateurs. They belong to well-structured organizations with money, motivation and goals, often employing highly skilled hackers that execute targeted attacks. Such organizations can deploy considerable threat intelligence, time and resources in order to execute attacks that can cost cybercrime victims significant amounts of money. Unfortunately, this trend is only growing more complex as businesses experience a surge in internet use, mobile computing and the cloud, creating more channels of communication and vulnerable entry points into the network.

Cybersecurity – A Global Business Concern 

More and more business value and personal information worldwide are rapidly migrating into digital form on open and globally interconnected technology platforms. As that happens, the risks from cyberattacks become more and more distressing.
Based on 2014 McKinsey and World Economic Forum Research, companies are continuously struggling with their capabilities in cyber risk management and believe that they are losing ground to attackers as visible breaches incessantly occurs in growing scale and severity.
Their findings show that 70% of executives from financial institutions believe that cybersecurity is a strategic risk to companies and considered internal threats (their employees) as big risk as external attacks.  Similarly, product companies such as high-tech firms see the leaking of proprietary knowledge about production process as more damaging than leaks of product specifications given the pervasiveness of “teardown” techniques and the legal protections afforded to product designs. Service companies on the other hand, are more concerned about the loss and release of identifiable information on customers and about service disruptions.
Equally worrisome, executives from various industries perceived that cyber attackers will continue to increase their leads and pace over corporate defenses – more quickly than the ability of institutions to defend themselves, thus, making cybersecurity the top priority of every business of all kinds.

 Why Does Cybersecurity Matter?

If you still haven’t developed a plan to safeguard your company’s information assets, here are the top 5 reasons why cyber security matters:
1 – Your reputation will be at risk.
If your business has an exposure to cyber risk, you can be sure people will find out about it. The fallout can be devastating. Customers may doubt their data is safe with you, prompting them to shop elsewhere as a result. After all, if you’ve had one breach, what are the chances you might have another?
A data breach could even make your vendors wary of working you. Network connections you share with them—for processing payroll, for example, or for transferring email campaign lists—could suddenly be suspect. They have their own data to protect, and a breach might identify your business as the weakest link in the security chain.
– Breaches are a financial burden.
When a breach is discovered, systems are often taken offline to plug the security hole. During that time, you may not be able to process customers’ orders or continue operations. New equipment or software may need to be purchased to prevent a recurrence of the breach.
3 – It’s not a matter of “if,” but “when.”
With the pace of breaches occurring in our hyper-connected, data-intensive world, no business, industry or region is immune. Rather than hoping to simply avoid a data exposure, businesses are learning smarter to protect themselves and be prepared to meet hackers head on.
4 – Insider threats are real.
Dangers may lurk within an organization that is just as disturbing as any cyber criminal. Resentful employees can inflict tremendous harm if they choose to take revenge on the business or a coworker by divulging sensitive information. The same holds true for employees facing financial difficulties who may see the sale of confidential data as a way to solve their money problems. One of the most challenging aspects of an insider threat is how difficult it can be to identify who presents a risk and who doesn’t. Employers often aren’t aware to the danger until a breach has occurred.
5 – A cyber attack puts your customers and partners at risk.
Breach victims could suffer financial losses through the theft of payment card and bank account numbers. It’s also possible they could fall prey to identity fraud later if criminals use their personal information to open new accounts in their name. But the damage doesn’t stop there. With a name or a Social Security number, someone could commit a crime using the victim’s identity, putting that person’s livelihood and reputation in serious jeopardy. Given the danger identity theft and fraud post, protecting customers’ data is part of being a good business.
Some of the largest breaches during the past few years have been due to small businesses serving as vendors to larger companies. As part of the larger business ecosystem, small businesses will be scrutinized for data best practices so long as they serve as third party vendors for other companies.

 Cybersecurity Landscape

Attacks on sensitive IT systems and data increased in 2015, many of which caused substantial financial and reputational damage to the companies involved. Still, a successful attack on the underpinnings of the nation’s critical infrastructure would have far more catastrophic impacts than this.
Based on ISACA 2015 Global Cybersecurity Status Report, 83% of ISACA members across 129 countries say cyberattacks are among the top three threats facing their organization today, and only 38 percent say they are prepared to experience one.
IT departments often found themselves unprepared to patch and mitigate these threats – monetization of credit card data or financial records, rapid replication of product or process, access to strategic or customer information, leaving the window for exploitation wide open and leading to a perfect storm of zero-day attacks, system infiltration and subsequent data loss for many organizations.
Here are the Must Know Cyber Security Statistics in 2015

According to 2015 IBM Business Intelligence Index Report, 55% of attacks came from the people who has physical or remote access to a company’s assets – hard copy documents, disks, electronic files and laptops—as well as non-physical assets, such as information in transit. Although the insider is often an employee of the company, he or she could also be a third party. Think about business partners, clients or maintenance contractors, for example. They’re individuals you trust enough to allow them access to your systems.

Still, it’s important to note that more often than not, breaches caused by insiders are unintentional. In fact, over 95% of these breaches are caused by human error. That can mean accidentally posting information on the company’s public-facing website, sending information to the wrong party via email, fax, or mail, or improperly disposing of clients’ records.
But insiders who set out to take advantage of the company they work for can be much more dangerous. It’s more difficult to thwart these insiders’ malicious actions because they’re willing to take extraordinary measures to circumvent access controls and are typically unconcerned with corporate policies or the potential consequences of their actions.

Taking Action: NIST Cybersecurity Framework

The NIST Framework for Cybersecurity for Critical Infrastructure was approved in February 2014 and is intended to help establish guidelines and best practices for ensuring that our critical systems are adequately protected. Although it is a voluntary framework, it is expected that it will be adopted by many companies in order to strengthen their security posture.
The Framework provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs. It comprises three primary components: Core, Implementation Tiers, and Profile.

Framework Core – A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core represents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level.
The functions included in the Core include:

  • Identify – develop the organizational understanding to manage cybersecurity risk to systems, applications, and data
  • Protect- implement safeguards to ensure the secure delivery of infrastructure services
  • Detect – implement the appropriate activities to take action on a cybersecurity event.
  • Recover- maintains plans for resilience and to restore any services impacted by a cybersecurity event.

Framework Implementation Tiers – Describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. There are four tiers that can be used to identify the “current state” of your cybersecurity effort.
These tiers and their brief characteristics include:

  • Tier 1 (Partial): Informal cybersecurity risk management practices, ad hoc and reactive approach to risk management.
  • Tier 2 (Risk Informed): Management –approved risk management processes, awareness of risk at organizational level, but lack of organization of organization-wide approach.
  • Tier (Repeatable): Risk management processes expressed as policy, organization-wide approach to manage cybersecurity risk, risk-informed policies, processes and procedures.
  • Tier 4 (Adaptive): Adaptable cybersecurity practices based on lessons learned and predictive indicators, continuous improvement incorporating advanced technologies and practices, active sharing of information with partners both before and after cybersecurity events.

Framework Profile – Describes outcomes based on the business need and risk assessment that the organization has selected from the Core. This information enables you to identify opportunities for improving cybersecurity by moving from “current state” to “target state”. To develop a Profile, an assessment, determine which are most important. The Current Profile can then be used so support prioritization and measurement of progress towards the Target Profile. It can also be used to support communication within the organization.

Benefits beyond Improved Cybersecurity

The NIST Framework was designed with a very high degree of flexibility for organizations that would like to follow its guidelines. It is also technology – neutral, and incorporates existing industry standards and best practices – no “re-inventing the wheel”.  Most importantly, it enables each organization to profile its own cybersecurity efforts, define a target profile, and then put in place a plan to reach that goal.
In this regard, its guidelines should be considered not as requirements but as scorecards that are based on the unique business needs, risk appetite, and security demands for each environment and provide a guide for continuous improvement based on changing risk and threat dynamics.
For most organizations, whether they are owners, operators, or suppliers for critical infrastructure, the NIST Cybersecurity Framework may be well worth adopting solely for its stated goal of improving risk-based security. But it also can deliver ancillary benefits that include effective collaboration and communication of security posture with executives and industry organizations, as well as potential future improvements in legal exposure and even assistance with regulatory compliance.
Effective collaboration hinges upon open and meaningful dialogues. To that end, the Framework has created a common language to facilitate conversation about cybersecurity processes, policies, and technologies, both internally and with external entities such as third-party service providers and partners.

Looking Ahead

New technologies, well-funded and determined cyber – attackers, and interrelated business systems have joint to increase your exposure to cyberattacks. Your critical and most confidential digital assets are being targeted at an exceptional rate and the potential impact to your business has never been greater.
NIST Cybersecurity Framework represents a tipping point in the evolution of cybersecurity, one in which the balance is shifting from reactive compliance to proactive risk-management standards. This framework is voluntary and when you successfully adapt, you do more than protect your business, you have the potential to reap bottom line benefits.


Related Posts

Leave a Reply