Headlines coming out of Sweden in July gave IT departments around the world a jolt: one of the country’s largest grocery chains, COOP, had been hit by ransomware and had to temporarily shut down hundreds of stores.
Cybercriminals had infiltrated the software as a service (SAS) company Kaseya, a client management platform used by as many as 40,000 organizations (including COOP). The attack was so sophisticated that clients believed they were downloading a Kaseya software update, when actually they were installing ransomware from a hacker group known as REvil.
Cyber threats and attacks are becoming more common, no matter which industry and no matter the size and reach of your company. Big and small organizations face daily risks of hacking and data breaches, and the best way for an organization to address these challenges is to implement a strategic, well-developed cybersecurity plan to protect critical infrastructure and information systems: a cybersecurity framework.
What is a cybersecurity framework?
A cybersecurity framework is a collection of best practices that an organization should follow to manage its cybersecurity risk. The goal of the framework is to reduce the company’s exposure to cyberattacks, and to identify the areas most at risk for data breaches and other compromising activity perpetrated by cyber criminals.
A strong cyber risk management framework is closely intertwined with the organization’s risk management strategy and risk management programs. Combined with the use of updated information technology and artificial intelligence, a solid cybersecurity risk management framework can be an excellent way to stave off cyber attacks.
Using the NIST cybersecurity framework as your baseline
If developing and implementing a cyber risk management framework from scratch feels intimidating, fear not. The National Institute of Standards and Technology (NIST) has issued many frameworks for security issues. One of the best known is the NIST Cybersecurity Framework (CSF), a set of guidelines that were originally developed for government entities and have since been adapted for private sector use. Not only does CSF provide a framework to understand cybersecurity risk management, it also includes guidelines to help companies prevent and recover from attacks.
NIST compiled these standards — which are optional; some other NIST standards are required for certain businesses, but the CSF isn’t — after then-President Barack Obama signed an executive order in 2014. The executive order aimed to establish a cybersecurity framework to help protect the country’s critical infrastructure and federal information.
There are five main functions of NIST’s cybersecurity framework:
- Identify. Companies must first examine and categorize their supply chain and work environment, to better understand which cybersecurity risks their systems, assets, data, and frameworks are exposed to. This process is also known as a cybersecurity risk assessment, and it provides a baseline for day-to-day risk.
- Protect. Organizations must develop and implement appropriate safeguards to limit or contain the effects of possible cybersecurity events. Protection includes cybersecurity monitoring programs, firewalls, and physical security controls such as locking the door to your data center. Protection requires continuous monitoring to be efficient and safe.
- Detect. Organizations must implement appropriate procedures to identify cybersecurity events as soon as possible. A clear methodology should be established so everyone within the organization knows what to do in case of a cyber attack.
- Respond. Have an incident response team in place before you need it. Make sure all stakeholders are involved in this part of the planning, and that there is a clear chain of command from the moment the cyber attack has been identified until it’s mitigated.
- Recover. Mitigation is a big part of recovery. It includes plans for how you will best restore crucial functions and services, as well as a catalog of temporary security controls to implement as soon as your systems have been compromised by a cybersecurity event.
Compliance and industry-specific requirements
The risk management process and the tools you use to determine cybersecurity risk may be the same across industries, but some businesses — such as those that manage healthcare or human resources or credit card payments — have specific requirements for their cybersecurity programs and also for response and recovery. For example, a company that handles credit card transactions must prove that it complies with the Payment Card Industry Data Security Standards (PCI-DSS) framework. This would require the company to pass an audit.
A strong cybersecurity framework can provide excellent guidance as you work through the layers of risk assessment. When applied properly, a cybersecurity framework allows IT security leaders to manage enterprise risks more efficiently. The NIST model allows an organization to adapt an existing cybersecurity framework to meet its needs or provides guidance for the organization to develop one internally.
Discover the full power of ZenGRC
At Reciprocity, a team of cyber security professionals is always looking out for you and your assets, making sure you get the best and most up-to-date risk management tools.
ZenGRC works in tandem with governance, risk management and ever-changing compliance demands to keep your business safe.
ZenGRC’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow; it also lets you find areas of high risk before that risk has manifested as a real threat.
Worry-free compliance management is the Zen way. For more information on how ZenGRC can help your organization, contact us for a demo.