In August, President Trump signed the NIST Small Business Cybersecurity Act, directing NIST to develop a streamlined version of its Cybersecurity Framework to protect small businesses (SMBs) who have traditionally been unable to invest in their own IT security resources. At the same time, an increasing number of businesses are requiring vendors within their supply chain to adopt the NIST framework.
Securing the systems of small businesses is a very real concern, for the businesses themselves as well as for the private and public organizations working with this sector. Unaware of their own susceptibility and lacking appropriate IT resources, SMBs are an excellent target for hackers. In fact, the real danger is that small businesses can unwittingly become launching pads for much larger attacks on government sites and Fortune 500 companies.
Fortunately, the existing NIST framework can help small businesses to identify, prioritize, and mitigate risk. NIST has a guide (NISTIR 7621, Revision 1, Small Business Information Security: The Fundamentals, Celia Paulsen and Patricia Toth, 2016) that helps SMBs understand risk assessment and determine their vulnerabilities.
The NIST framework encompasses five key functions: Identify, Protect, Detect, Respond, and Recover. In this article, we’ll explore what SMBs must consider to implement NIST successfully, including identifying, classifying, and quantifying risk; assigning roles and responsibilities within the company; and developing policies and procedures for their cybersecurity program.
Identify Your Risks
A key challenge for businesses is knowing where their risks lie. In order to create a plan, you must start by making a list of your critical business assets and practices. If you are a small bank, for instance, maintaining 24/7 access to online banking might be critical. Another concern might be protecting the confidentiality and integrity of your data. And what about having sufficient cash flow? These concerns become the top priorities you must manage to stay in business. Other goals, such as having a nice website or hiring a marketing person, probably take a back seat to online access, data confidentiality, and cash flow. Only you, as management, can determine what matters most to your business.
A business’s current state of risk must be determined through a comprehensive risk assessment. A full risk assessment includes threat, vulnerability, and impact analyses, all of which are important to defining an overall risk strategy. Because risk can be addressed in different ways—such as altering risky behavior, developing countermeasures to threats, reducing vulnerabilities, or developing controls—these assessments establish the baseline for determining the most cost-effective strategy to address risk.
Determining the current state of risk also provides the basis for a gap analysis. A gap analysis gathers data about your business environment, which is then analyzed according to the risk management strategy, classification and tolerance. Existing controls must be inventoried, tested and evaluated to determine the extent to which they meet the desired objectives for risk mitigation. This will provide the basis for deciding whether these controls are sufficient; need to be strengthened, modified or replaced; or whether additional controls must be added.
Risks evolve on a daily basis, and you are only as secure as your weakest point. If you have a dead bolt on your front door, but your back door is not locked, you are not secure! Invest in good business practices that will go a long way in protecting your data. Small business owners need to consider risk across operations, including data privacy, company laptop use, website and cloud services, and outsourcing.
Determine the Impact
For management, business impact is the bottom line of risk.
A BIA (business impact analysis) is an exercise that determines the consequences of losing the support of any resource to an organization. BIAs are a critical part of the risk assessment process, and an important tool for developing a strategy to address potential adverse impacts. A BIA should generate input for asset classification based on business value, determining the difference between acceptable and actual levels of potential impact that must be addressed by the cybersecurity strategy.
Classify Your Risks
All risks are not created equal. What constitutes low, moderate, or high risk in your business? Your strategy for risk management has to start with defining your tolerance of risk. For example:
Low risk: What would happen if your website was offline for less than two hours? You may decide that you can live with the loss of two hours of sales, or that a two-hour outage will not seriously compromise your business reputation.
Moderate risk: What if your website was down for four hours? While that might put a dent in your sales projection, you could probably still survive as a business and recover.
High risk: Could your business survive being offline more than four hours? This might result in an irretrievable financial loss and a fatal blow to your business’s reputation. (Can you imagine Amazon.com being down for even four minutes?)
For every identified risk, you have to define the parameters of what you can accept, what makes you nervous, and what you cannot accept: low, moderate, and high. While you can certainly come up with more complex and extensive impact scales, our advice is to keep it simple. You can always mature the model and implement sophisticated metrics later, but sometimes more complicated is just that.
Quantify Your Risk
Usually the prioritization of risk, and the amount of money and resources that must be allocated to protect against it is relative to the cost of the loss due to the risk materializing. To provide a real-world example, the process is like determining how much insurance you would need on your home in case of fire, flood, or other disaster.
We recommend creating a ledger of all the risks. Determine your tolerance for each identified risk, consider the cost and then spend accordingly. For instance, if your car is worth $5,000, then purchasing a $100,000 insurance policy is overkill. Prioritizing your business risks is similar. If loss of data affects your reputation, which may be hard to quantify in dollars but could have a major impact on your ability to grow your business, then don’t skimp on measures to protect your reputation. Once you have defined your objectives and priorities, you can decide how to manage risk effectively at an acceptable cost.
Assign Roles and Responsibilities
Once the BIA is complete, management can assess the spectrum of risk and create a strategy for achieving the identified security goals, whatever they may be: protecting data privacy, providing redundancy, securing sufficient insurance policies, etc.
The typical approach to building a cybersecurity program is to create a standalone program, in a silo. This outdated approach must be replaced with integrated risk management—an approach that integrates all business units and stakeholders, including non-security personnel.
Who needs to be involved in the strategy for data protection? Your security department needs to engage HR, finance, physical security, and legal. These stakeholders need to develop and agree upon an appropriately crafted policy. What should the legal agreements and rules of behavior state? What types of procedures should be followed when adding or removing employees? What financial measures have to be in place to create incentives and deterrents for employees, third-party vendors, contractors and others?
Your policy should also consider who and what pose threats to your business. For instance, if protecting data is critical to your organization (and I can’t think of an organization in which it is not), you should consider from whom you are protecting that data. This list should include your employees, ex-employees, hackers, third-party vendors, and your hosting facility administrators.
Developing a Strategy
From the outset, is imperative that senior management defines, promotes, and enforces a clear risk management strategy. The key is defining the objectives, and starting with small, manageable goals that are achievable and realistic. Cumulative effort is essential to success. You will not go from no risk management program to a comprehensive, effective program overnight. Implementation will require hard work on everyone’s part.
A cybersecurity program built on the NIST framework should address all of the following:
- Access control: Companies should adopt a good password policy, requiring complex passwords that change every 45 days. The Target store hack a few years ago was the result of that company allowing an HVAC company remote access without enforcing a 2-factor authentication. Hackers compromised the HVAC company, and through them gained access to all Target’s credit card data.
- Awareness training: This component requires relatively low investment and provides an excellent return on investment. Educate your employees on the basics of cybersecurity threats and offer them defensive strategies for navigating the internet. The DNC hack was reportedly the result of someone responding to a phishing email requesting Gmail credentials!
- Layered defenses: Starting with AV, encrypt your laptops, implement encrypted secure communications in your online exchanges and transactions, invest in security awareness, make full and incremental back-ups of your systems, patch your servers, and monitor your environment.
Once you have identified your risk areas, determined your risk tolerance, and created the roles responsible for the program from across the organization, you can determine an acceptable level of investment in cyber security. In most cases your strategy should include a combination of various measures, like diversifying your investment portfolio.
Next Steps: Implementing Your Strategy
To this point, we have focused on the Identify and Protect functions under the NIST framework. Next among the NIST functions is Detect, which recommends measures already familiar to many SMBs: installing intrusion protections such as antivirus and firewall defenses and maintaining and monitoring system logs.
Finally, under the Respond function, the NIST guidelines recommend developing a disaster and incident response plan, outlining policies and procedures to follow if and when an incident occurs. If you have properly identified responsible roles within the organization, everyone has a role and is a stakeholder in this plan. (Also, this plan should be tested when things are going well, not in the midst of a crisis!) For instance, was your HR server compromised? The good news is that you =were able to detect the breach because you were using the right tools to monitor your environment. Now, what are the necessary response and recovery steps identified in your disaster and incident response plan? Do you shut down or isolate the server? Do you have a clean backup or a contingency plan for recovery? These questions and procedures should all be addressed –as part of your integrated risk management strategy.
Final thoughts and considerations
Developing a measured, thoughtful strategy to cybersecurity is like starting a crossword puzzle. You begin with the small, simple words you know, and once those pieces are in place, the larger, more complicated words became easier to figure out.
By first identifying potential risks, determining the impact of those risks, quantifying the possible cost to your business, and investing all employees as stakeholders in the IT security process, you can develop an integrated strategy to cybersecurity..
The NIST framework provides step-by-step instructions for navigating this process that should result in concrete plans and procedures. If you come to the conclusion that cybersecurity is a critical function for your business, consider investing in a partner to perform assessments, compile risk inventories, identify priorities, and implement custom plans, policies, and strategies designed to safeguard your small business for the long term.
About the author: Baan Alsinawi is the founder and president of TalaTek for the past 12 years. Ms. Alsinawi possesses a unique capacity to be a thought leader who sees the big picture, understands how technology can be leveraged, and knows how to build the right teams and solutions to manage it. Ms Alsinawi is a member of ISC2 , and is CISSP and ITIL certified.