Small businesses to receive NIST assistance: Overlooked areas of the NIST framework

In years past, it was a challenge for organizations across every industry to ensure they were protected against the risks of – and ready to respond to – a cybersecurity incident. Decision-makers and IT administrators alike followed the advice of experts and worked to create strong safeguards and response and recovery plans.

It wasn’t until early 2013 that a more concrete set of cybersecurity standards was put into place in the form of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. Supported by an executive order under the Obama administration, the framework’s aim was to spur more consistent sharing of threat information as well as best practices for reducing risk and safeguarding critical infrastructure.

Now, the NIST Cybersecurity Framework is in the spotlight, thanks to a recent act from the Trump administration.

NIST Small Business Cybersecurity Act

According to a press release from the White House, President Donald Trump signed the “NIST Small Business Cybersecurity Act” into law on August 14, 2018, alongside a handful of other propositions. This act seeks to better support smaller organizations in their pursuit of data protection, and requires NIST “to develop and disseminate resources for small businesses to help reduce their cybersecurity risk.”

While NIST already provides key resources and information through its website, this increased attention to the cybersecurity struggles that small businesses face is particularly beneficial in the current landscape. As threat actors continue to act with rising sophistication and advanced attack techniques, it’s an uphill battle for protection and prevention for small businesses, many of which have limited resources and budgets for cybersecurity initiatives.

Dr. Bret Fund, founder and CEO of SecureSet, told InfoSecurity that this bill represents a step in the right direction for data protection and infrastructure security efforts. Fund added the measure signals a dedication under the current administration to reduced risk and stronger cybersecurity.

“This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain,” Fund said.

What’s more, because attacks can impact any size organization, and because smaller businesses typically have limited protections and expertise on their side, a cybersecurity incident could be potentially devastating to the success of the company.

“Recent reports show that smaller businesses lose proportionately more to cyberattacks since they are targeted just as often, and are less able to recover due to less resilient infrastructure,” Cavirin product management vice president Anupam Sahai told InfoSecurity.

Small businesses are often the easiest targets for hackers today.

Examining the NIST Framework

While NIST’s Cybersecurity Framework is voluntary, and non-compliance with its recommendations don’t currently carry any penalties, the standards and best practices included within have been shown to effectively improve data and infrastructure protection and reduce the risk that a cybersecurity incident will topple a business.

According to recent research from the National Cyber Security Alliance, nearly half of all small businesses have experienced a cyberattack at some point during their lifecycle. What’s more, over 70 percent of cyberattacks specifically target small businesses. And of the small companies in which a successful attack has taken place, 60 percent close their doors for good due to being unprepared to respond and recover from the incident.

A resource like NIST’s Cybersecurity Framework can prove invaluable in this type of threat landscape. The Framework is broken down in terms of five key functions, each of which includes specific best practices and recommendations. Click on each function here to read more about the categories and subcategories included:

Each function revolves around a specific cybersecurity activity, and when efforts are combined, it can help organizations create more robust, end-to-end security. By following NIST recommendations, businesses can identify the certain risks that could impact their business’ cybersecurity, work to guard against these threats in particular, put systems in place to detect threats, understand best measures for responding to detected threats and the necessary strategies that must be undertaken for recovery.

Potentially overlooked areas

Because each function of the framework operates in conjunction with the activities included in the next function, it’s imperative that stakeholders ensure that they are carefully and comprehensively undertaking each practice outlined. For instance, the second function, Protect, cannot be completed effectively without first identifying the specific threats that need to be guarded against.

Let’s examine some of the areas that could potentially be overlooked within the framework, and where they fit into each category and function:

  • Identify – Business Environment: The first function revolves around identifying the threats that could impact the business. A category under this function is Business Environment. It demands that the organization not only consider its internal processes and infrastructure, but the ways in which this fits into its overall supply chain and its industry sector. It’s imperative for small businesses that this process isn’t overlooked. As the Target breach demonstrated, weak security within the supply chain or with partnering organizations such as small business vendors can create significant ramifications. Because this category will be built upon later under the Protect function, within the Supply Chain Risk Management category, small businesses can be the intended target or the means by which larger organizations are breached. So, a lack of proper preparations here can contribute to complications later down the line, as businesses work through the framework.
  • Protect – Identity Management: While creating specific authentication credentials for secure access is typically common practice that include 2-FA and multi-FA, this category under the Protect function also includes recommendations to ensure that credentials are continuously verified and revoked when necessary for all users but more so for privileged users. In addition, stakeholders should also extend this management to remote access. For example, when an employee leaves the company, it’s critical that IT revoke and remove their credentials to prevent any unauthorized access.
  • Protect – Awareness and Training: Security education and making users aware of their roles and responsibilities is crucial. As the Framework recommends, this should include third-party stakeholders, partners and even vendors as well as internal staff.
  • Detect – Anomalies and Events: The first step under this category involves the creation of “a baseline of network operations and data flows for users and systems.” This is challenging for all organizations and even more so for small businesses. As the purpose of this function is to enable the ability to detect threats, it’s critical that stakeholders first have an in-depth understanding of what normal activity looks like. Working with Managed Detection and Response vendors is one way small businesses can leverage the collective power of advanced threat detection and analytics they are able to provide.
  • Respond – Improvements: This function covers the plans and processes organizations will use to respond when a threat is detected. After the business mitigates any incident according to its response plans, it should be sure to complete the Improvements category, where the lessons learned from the specific incident are incorporated and the response plan is updated.

The NIST Cybersecurity Framework is a key asset that includes robust best practices and recommendations applicable to any size organization. Check out our series to learn more about the Framework, and connect with our security experts to bolster your protection today.