Cyber security is forcing its way to the top of the agenda for many business owners but companies are quickly realising that security is about far more than having a good anti-virus software and some backups. It’s a culture.
Businesses are starting to understand that securing your environment means implementing what is known as a cybersecurity framework across the entire organisation. But what is a cybersecurity framework? Put simply, it’s a set of standards, guidelines and best practices to adopt to help your business manage cybersecurity risks.
Why do you need all of this I hear you say? Well, the obvious answer is because the threat landscape is changing. Technological advancement far outpaces security improvements and the only people truly keeping pace with developers are the cyber criminals. You may recognise this model:
- - A new technology is invented
- - We embrace this new technology
- - Someone exploits the technology
- - We find a way to protect the technology
- - Eventually, the protection is applied
Let’s assume this is enough to get you thinking about implementing a framework. There are so many of them out there, how do you go about choosing the right one? Choosing a framework is very dependent on your reason for implementing it in the first place. Is it to genuinely improve the overall effectiveness of your company to cope with cyber threats, or is it merely to satisfy a regulatory requirement or certification body? With all of the good intentions regulatory bodies and certifications have, you could find yourself ticking the boxes for compliance without actually becoming any more secure than you were before you started.
You also need to be sure that the strategy is proportionate and practical for your business. What works for one company, may not be the right fit for you. And remember, the best framework is the one that you will follow.
While there are plenty of very suitable alternatives, one option is the NIST Cybersecurity Framework. The quick start guide in the link gives you a very simplified breakdown of the essential considerations for your strategy. If you are familiar with the people-process-technology (PPT framework), you’ll notice that the key functions in the cybersecurity framework align frightfully well. A good framework should be addressing people (training and awareness), process (policies, and general approach) and technology (the tools to do your job).
The NIST model breaks down the framework into these 5 key components:
- - Identify
- - Protect
- - Detect
- - Respond
- - Recover
If you begin your search for a framework by working through the NIST advice in Identify, you’ll be that much closer to finding the framework that works for you.
You need to understand your own business needs, know what information and physical assets you have and use and understand what would happen if those were unavailable? What are your own issues and challenges facing your business? What are the expectations of your stakeholders?
Once you’re identified what needs to be protected and identified the risks ahead of you, it’ll be far easier to choose a framework for your needs. Whichever one you land on; it must have buy-in from all stakeholders for it to be successful. If all of this sounds like too much to take on, remember that once you’ve identified those assets and risks, even a handful of safer practices combined with some good old-fashioned housekeeping can be a step in the right direction.
