On the January 5 episode of the CyBUr Smart Morning News Update (available at all your fine podcast outlets) I discussed Cybersecurity Frameworks. This was based on a recent article that discussed the costs that will be incurred by small and medium business owners within the Defense Industrial Base sector to get assessed under the upcoming Cybersecurity Maturity Model Certification framework. These costs (just to get assessed/certified and not including the costs to get up to speed on the required controls/practices) will be a tremendous burden on SMBs in the space that work on limited budgetary margins. Despite these potential problems, cybersecurity frameworks are an excellent tool to help companies start a process of improving their corporate cybersecurity posture. But for most in the SMB space, what is a cybersecurity framework (CSF) and where does one start?
A CSF, simply put, is a set of guidelines, best practices, and standards designed to help organizations manage and reduce their cybersecurity risks. These frameworks provide a structured approach for ensuring the confidentiality, integrity, and availability of information and information systems. There is no one-size-fits-all approach here. There are a lot of different organizations that have developed their own CSFs, like NIST, COBIT, ISO, and CIS. This post is not about going deep into all these different types but in at least providing a starting point for business owners to consider their use.
What is the value of using a CSF when it comes to cybersecurity:
1. Standardization and Best Practices: Cybersecurity frameworks offer a structured approach, harmonizing various practices and standards. This enables organizations, regardless of size or sector, to establish a strong, standardized baseline for their security measures.
2. Risk Management: They provide a systematic method to identify, assess, and manage cybersecurity risks. This proactive approach is crucial in a landscape where threats are constantly evolving.
3. Compliance and Legal Assurance: Many frameworks align with regulatory requirements, helping organizations not only protect their data but also ensure compliance with legal and regulatory standards.
4. Incident Response Preparedness: In the event of a breach, a well-defined framework equips organizations with the necessary procedures to swiftly and effectively respond, mitigating potential damage.
5. Building Trust: Demonstrating adherence to recognized cybersecurity frameworks can enhance trust with clients, partners, and stakeholders, showcasing a commitment to data protection and security.
This is not an all-inclusive list but at least a discussion starting point.
One thing I mention all the time is most CSFs mention lots of different controls to focus on that help companies get down the road to better cybersecurity. But some, like NIST, have hundreds of controls which can be overwhelming for SMB owners/operators. However, you can get started with a CSF by focusing on 10 important controls that can get you started down the cybersecurity road. Because if you aren’t doing these 10 (whatever those are) you likely aren’t doing any.
As an example, I recommend these 10 to start:
1. Inventory and Control of Hardware Assets
2. Inventory and Control of Software Assets
3. Continuous Vulnerability Management
4. Secure Configuration of Hardware and Software
5. Controlled Use of Administrative Privileges
6. Security Awareness and Training
7. Data Protection and Privacy
8. Incident Response Planning
9. Regular Backup and Recovery Procedures
10. Password and MFA policy requirements
The value of a cybersecurity framework isn't just in its adoption but in its continual adaptation and integration into every aspect of an organization's operations. Remember, there is no right or wrong way to utilize a CSF, but it is important to at least start considering the use of one (whatever it looks like) to improve your cybersecurity hygeine, reduce your cyber risk profile, and lessen your likelihood of becoming a cyber victim.
If you have additional questions about CSF, feel free to reach out. Discussions are free.
#getcybursmart #becybersafe #knowledgeisprotection