In years past, it was a challenge for organizations across every industry to ensure they were protected against the risks of – and ready to respond to – a cybersecurity incident. Decision-makers and IT administrators alike followed the advice of experts and worked to create strong safeguards and response and recovery plans.
It wasn’t until early 2013 that a more concrete set of cybersecurity standards was put into place in the form of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. Supported by an executive order under the Obama administration, the framework’s aim was to spur more consistent sharing of threat information as well as best practices for reducing risk and safeguarding critical infrastructure.
Now, the NIST Cybersecurity Framework is in the spotlight, thanks to a recent act from the Trump administration.
NIST Small Business Cybersecurity Act
According to a press release from the White House, President Donald Trump signed the “NIST Small Business Cybersecurity Act” into law on August 14, 2018, alongside a handful of other propositions. This act seeks to better support smaller organizations in their pursuit of data protection, and requires NIST “to develop and disseminate resources for small businesses to help reduce their cybersecurity risk.”
While NIST already provides key resources and information through its website, this increased attention to the cybersecurity struggles that small businesses face is particularly beneficial in the current landscape. As threat actors continue to act with rising sophistication and advanced attack techniques, it’s an uphill battle for protection and prevention for small businesses, many of which have limited resources and budgets for cybersecurity initiatives.
Dr. Bret Fund, founder and CEO of SecureSet, told InfoSecurity that this bill represents a step in the right direction for data protection and infrastructure security efforts. Fund added the measure signals a dedication under the current administration to reduced risk and stronger cybersecurity.
“This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain,” Fund said.
What’s more, because attacks can impact any size organization, and because smaller businesses typically have limited protections and expertise on their side, a cybersecurity incident could be potentially devastating to the success of the company.
“Recent reports show that smaller businesses lose proportionately more to cyberattacks since they are targeted just as often, and are less able to recover due to less resilient infrastructure,” Cavirin product management vice president Anupam Sahai told InfoSecurity.
Small businesses are often the easiest targets for hackers today.
Examining the NIST Framework
While NIST’s Cybersecurity Framework is voluntary, and non-compliance with its recommendations don’t currently carry any penalties, the standards and best practices included within have been shown to effectively improve data and infrastructure protection and reduce the risk that a cybersecurity incident will topple a business.
According to recent research from the National Cyber Security Alliance, nearly half of all small businesses have experienced a cyberattack at some point during their lifecycle. What’s more, over 70 percent of cyberattacks specifically target small businesses. And of the small companies in which a successful attack has taken place, 60 percent close their doors for good due to being unprepared to respond and recover from the incident.
A resource like NIST’s Cybersecurity Framework can prove invaluable in this type of threat landscape. The Framework is broken down in terms of five key functions, each of which includes specific best practices and recommendations. Click on each function here to read more about the categories and subcategories included:
Each function revolves around a specific cybersecurity activity, and when efforts are combined, it can help organizations create more robust, end-to-end security. By following NIST recommendations, businesses can identify the certain risks that could impact their business’ cybersecurity, work to guard against these threats in particular, put systems in place to detect threats, understand best measures for responding to detected threats and the necessary strategies that must be undertaken for recovery.
Potentially overlooked areas
Because each function of the framework operates in conjunction with the activities included in the next function, it’s imperative that stakeholders ensure that they are carefully and comprehensively undertaking each practice outlined. For instance, the second function, Protect, cannot be completed effectively without first identifying the specific threats that need to be guarded against.
Let’s examine some of the areas that could potentially be overlooked within the framework, and where they fit into each category and function:
The NIST Cybersecurity Framework is a key asset that includes robust best practices and recommendations applicable to any size organization. Check out our series to learn more about the Framework, and connect with our security experts to bolster your protection today.