Given how many sophisticated and aggressive cybersecurity threats are out there today, figuring out how best to protect your company, customers, and employees is no simple matter. The NIST Cybersecurity Framework provides businesses with essential guidance on how to manage cyber risk, as well as how to respond to an attack if one happens. Here's a brief history of the framework, a look at its key components, and some tips for implementing it.
How the NIST Cybersecurity Framework came to be
In 2013, the Obama administration issued Presidential Executive Order 13636, Improving Critical Infrastructure Cybersecurity, a move that was intended to strengthen the nation's cybersecurity posture. Among other things, this Executive Order directed the National Institute of Standards and Technology (NIST) to develop a Cybersecurity Framework. This framework offers standards, guidelines, and best practices to help organizations of all sizes better understand, manage, and reduce their cybersecurity risk. It is entirely voluntary, and businesses can choose to adopt it if they wish. The original version of the NIST Cybersecurity Framework, CSF 1.0, was introduced in 2014. The most recent official version, CSF 1.1, was released in 2018. Since the last version came out, NIST has been gathering feedback to incorporate in version 2.0, which is currently scheduled for a 2024 release. CSF 2.0 is expected to include updated guidance on governance and supply chain risks. It is also anticipated to reflect the growing consensus that technology should be secure by design in order to better protect businesses, customers, and the general public. Businesses that want to get an advance look at the recommendations that may be included in CSF 2.0 can view the proposed changes in the NIST Cybersecurity Framework 2.0 Concept Paper.How to use the NIST Cybersecurity Framework
The CSF currently advises organizations to organize their cyber risk management around five key initiatives: Identify, Protect, Detect, Respond, and Recover. Here's a brief look at what each step entails, as well as some steps businesses can take to implement the recommendations.Identify
Your business can't secure what it doesn't know about, which is why the first step in the CSF involves identifying all the applications your business uses. This includes hardware devices such as laptops and smartphones; software; point of sale (POS) equipment; and data. Just important as the technology is the employee using it. This means getting a benchmark for employees’ level of tech-savvy and where they’re working (remote, hybrid, in-office). Don't forget to include other appliances that may be connected to your network, such as copiers. The same goes for any internet of things (IoT) gadgets your company may have in place. Even security systems like cameras and smart card readers could merit inclusion in your list. If you don't already have a cybersecurity policy in place, consider creating one. It should clearly delineate the roles and responsibilities for all employees, vendors, and others who may have access to important business systems and data. This policy should explain the steps your business will take to prevent a cyber attack, describe how the company will mitigate the fallout if one happens, and clearly state who will be responsible for carrying out the necessary steps.Protect
Once you know what kinds of technology you have and evaluate the human factor (how and where your employees are using this technology), consider what kinds of access controls you have in place surrounding who logs onto your network, applications, and devices. It's also a good idea to take a granular look at who has access to sensitive business data. You may also want to use security software to safeguard this data based on the tools your employees are accessing, along with the level of control and visibility you’ll need. For example, you can encrypt data so that even if bad actors somehow make their way into your network and come across some information they might want to steal or use, they can't actually view or access its contents. (As it happens, strong encryption is also essential to a zero knowledge security approach to safeguarding crucial data.) Here, too, you may want to put some thought into policies that outline how the company will safely dispose of its electronic files, old devices, and other technology assets. Your employees play a very important role in protecting the business against cyber threats, so it can be beneficial to give them regular security awareness training on how to spot a potential attack and avoid falling victim to it.Detect
Next, keep an eye out for any suspicious activity. By regularly monitoring your systems and devices, you can spot when someone tries to do something fishy or attempts to gain access to a resource without authorization, all while fostering a culture of detection (one that lends itself to a better response, in the case of an incident). This applies to shadowy hackers trying to find their way into your network as well as insider threats (employees or other personnel who may be going rogue for one reason or another). Also keep a lookout for unauthorized devices or software, as they could end up compromising your business, too.Respond
When a cyber attack hits, your business will need to have an incident response plan at the ready. Otherwise, the company could waste precious time trying to come up with an effective response on the fly. Although this plan of course includes the direct cybersecurity interventions you might expect, such as investigating and containing an attack, there's more to it than one might first assume. Communication is key, which is why the CSF recommends figuring out in advance how you will notify customers, employees, and others whose data may be affected. Business continuity will also be essential to the company's survival, so anticipate how you will keep regular business operations up and running. Depending on your industry and location, you may also be required to report the attack to law enforcement and/or other authorities. Accordingly, your response plan should include this step.Recover
After you've made it through the cyber attack, hopefully with minimal damage to the business, customers, and employees, there's a fair amount of recovery work that may be required to get your company back to normal operations. Repair and restore any systems, devices, or other aspects of your network that may have been affected. Continued communication is essential in this step, as employees and customers will need to know what steps have been taken to recover from the attack and prevent another one from happening in the future.