All industries are affected by the threat from a Cyber-attack. These threats and the impact of an incident is increasing each year. There are many organisations that monitor the threat impact and a few that give frameworks for all of us to work towards. NIST, National Institute of Standards and Technology, NIST, based in USA.
It is a leading organisation that promotes cyber security standards for industry.
- • The average cost of a data breach to a major organisation is around $4 million—or $150 per record—according to a recent study by IBM and Ponemon.
- • That same study uncovered the fact that around 44 percent of all enterprises have been hacked on at least 30 separate occasions in the past 12 months.
- • On average, it takes financial companies over three months to detect a data breach, while it takes retailers over six months.
- • Over 3 billion consumer records, email accounts, passwords, bank records and many other types of personal records.
- • Many breaches are so detrimental to customer confidence, that organisations soon find sales dry up.
Data breaches are expensive, distractive and bad for business. They scare away potential and current companies, and potentially the brand of the company. Even before we consider the financial impact, GDPR and potential legal action.
These threats effect all sizes of business, from single home office to multinational organisations. They must do everything in their power to protect themselves against a growing multitude of cyber threats.
Protecting from potential incidents isn’t brain surgery, there are many tools, solutions and frameworks to assist you in identifying areas to deploy security solutions. One such framework that’s worth a look is from the National Institute of Standards and Technology (NIST).
What is NIST?
NIST, is a non-regulatory department of the US Department of Commerce. It is by its historical nature a physics science lab, it provides standards of measurements e.g. what does a gallon contain in terms of liquid. These guides, give standards how industries operate from every type of innovative technology. From medical health records, airplanes and global pharmaceutical organisations
What is NIST compliance?
The NIST’s goal is to provide US federal agencies and organisations that require strict data protocols with easy-to-use and cost-effective strategies for protecting their information systems and applications. This standard has been adopted by European security providers, framework and solutions including ourselves to give a framework to our work ethics.
In 2013, in response to a growing threat of cybersecurity attacks, President Barack Obama ordered the NIST to develop a Cybersecurity Framework for the protection of the following;
- Commercial facilities
- Critical manufacturing
- Defence industrial base
- Emergency services
- Financial services
- Food and agriculture
- Government facilities
- Healthcare and public health
- Information technology
- Nuclear reactors
- Materials and waste
- Transportation systems
- Water and wastewater systems
Now, this policy is known as the widely accepted NIST Cyberframework (CSF). At its core, CSF consists of five essential functions that—when followed—ensure for systems-wide protection across an organization’s information systems and applications.
NIST, Cyber Security Framework
1. Identify – Risk Management
An organisation starts on the path to understand and identify the potential cyber security risks that may effect its operations, strategy and company well being. This is an ongoing process, never ending to identify and categorise risks.
Once you have a risk framework, this stage is about ways to prevent these risks from occurring. With the proper steps, organisations can ensure that applicates operate as designed and services are delivered seamlessly. If an attack does occur, this helps to mitigate the potential issues.
Detecting an attach, ideally in a timely fashion. This is the area where issues occurs, typically it is 3 months later before breaches are detected.
The If and How on the tackle an incident. We need to plan for the worse, what we need to do when a reach occurs. This is where your planning comes to the front and how well it can reduce the impact of an attack.
Once an attack is deal with, organisations have to move quickly to resolve any services or systems that have been affected. Document what went according to the plan, what didn’t and what is the likelihood of something similar happening again. Once a breach occurs, there is no going back, you are fair game for others
To make your life easier, there are also NIST recommendations, in the form of the following 9 steps;
- Categorise the data that you need to protect
- Develop a minimum baseline of controls for protecting your data
- Regularly conduct risk-assessments to refine your baseline security controls
- Document these controls in a security plan
- Execute security controls in the appropriate information systems and applications
- Measure the effectiveness of your security controls once implemented
- Determine the agency-level risk based on your security control assessments
- Authorise the information system processing
- Monitor your security controls on a continuous basis
In the age of breaches and malicious actors, it’s more important than ever for all businesses to take proactive steps when it comes to cybersecurity. No matter how big or small your company is, the last thing you want is to get hit by a breach.
Even if your business doesn’t require CIA-level data encryption or doesn’t operate in the U.S., you’d still be better off following NIST’s recommended cybersecurity framework. Across all industries, 70 percent of IT and security professionals support NIST CSF framework and for a good reason: adhering to these standards drastically reduces the likelihood of a breach.
Security is a journey that requires constant attention. But you don’t have to do it alone. By keeping on top of great frameworks, tools, and learning from your peers you can continuously improve and strengthen your posture.