If recent global security breaches impacting over 200,000 computers in 150 countries and costing millions are anything to go by, it could not be clearer that cyber security impacts businesses as a whole, not just IT departments.
The types of threats businesses face are changing too. Hacking software is becoming more sufficient, increasing the impact that hackers can have on a business. Cyber hackers are moving to more sophisticated agendas such as espionage, disinformation, market manipulation and disruption of infrastructure, on top of previous threats such as data theft, extortion and vandalism. Being able to mitigate these threats requires businesses to not only think of cyber security as a business risk, but to act on this too. Successful protection of a company requires the business to think about what these cyber risks mean for the business as a whole and for its customers.
Gone are the days when companies could pass the headaches of cybersecurity off to the IT department. Now, cybersecurity is also a business issue, especially since businesses are more digitized, meaning they are exposed to an increasing number of threats if they do not manage the risk of security properly.
Facing cyber security as a business risk, not merely a technology risk, is the theme for week 2 of National Cyber Security Awareness Month (NCSAM), appropriately named Cybersecurity in the Workplace is Everyone’s Business. Week 2 showcases how organizations can protect against the most common cyber threats by looking at the resources that help organizations strengthen their cyber resilience.
The US-CERT, United States Computer Emergency Readiness Team, encourages organizations and employees to review the following resources:
- NIST Cybersecurity Framework,
- DHS Stop.Think.Connect. Toolkit,
- National Cyber Security Alliance Workplace Tips, and
- US-CERT Home and Business Networks page.
NIST – Cybersecurity Framework
Creating a culture of cybersecurity is critical for all organizations—large and small businesses, academic institutions, non-profits, and government agencies—and is a responsibility shared among all employees. The National Institute of Standards and Technology (NIST) has published resources including standards, guidelines, and best practices to help organizations of all sizes to strengthen cyber resilience.
The Cybersecurity Framework, and Executive Order issued on February 12, 2013, is a “set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses” (page 1 of Framework for Improving Critical Infrastructure Cybersecurity).
The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. Each Framework component reinforces the connection between business drivers and cybersecurity activities. These components are explained as follows:
- The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. (page 4 Framework for Improving Critical Infrastructure Cybersecurity).
- Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.
- A Framework Profile (“Profile”) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario.
How to use the Framework
An organization can use the Framework as a key part of its systematic process for identifying, assessing, and managing cybersecurity risk. The Framework is not designed to replace existing processes; an organization can use its current process and overlay it onto the Framework to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement. Utilizing the Framework as a cybersecurity risk management tool, an organization can determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.
The Framework provides a means of expressing cybersecurity requirements to business partners and customers and can help identify gaps in an organization’s cybersecurity practices. (page 13, Framework for Improving Critical Infrastructure Cybersecurity).
DHS’s Stop. Think. Connect. Toolkit
Cyber criminals do not discriminate; they target vulnerable computer systems regardless of whether they are part of a large corporation, a small business, or belong to a home user. Cybersecurity is a shared responsibility in which all Americans have a role to play.
The Department of Homeland Security (DHS) Toolkit provides resources and materials for all segments of the community. Students of all ages, small businesses, government, law enforcement, older Americans, educators and parents, industries and young professional can all access a library of tools to stay connected, informed, and involved in protecting themselves against cyber threats. Each of the segments mentioned also have toolkit materials by cyber topic that directly relate to their specific audience, as well as a list of frequently requested publications supporting DHS’s cybersecurity priority and mission.
National Cyber Security Alliance – StaySafeOnline
The National Cyber Security Alliance provides useful tips and resources to create a culture of cybersecurity awareness in the workplace, and provide “at work” tips such as the following:
- Post simple and actionable online safety tips around the office – for example, in the break room.
- Encourage your organization to get involved in the STOP. THINK. CONNECT.™ campaign by becoming a partner.
- Hold a brown bag lunch for employees to discuss your company’s IT security and acceptable use policies. Find talking points for employees here.
- Incorporate STOP. THINK. CONNECT.™ tips into employee handbooks and newsletters.
- Host an employee training on cybersecurity. Check out ESET’s free cybersecurity awareness training as a great resource.
- Lock down your login: Strengthen your company’s email and online accounts by adding extra layers of security beyond a username and password.
US-CERT Home and Business Networks
US-CERT’s home and business page offers articles, materials and tools about cybersecurity to secure home and small-business networks. Features such as 10 Ways to Improve the Security of a New Computer to Home Network Security to Virus Basics are relatable topics for consumers and organizations, and provide important information about security risks and how to guard against them.
Stay tuned for next week’s blog featuring NSCAM’s Week 3 theme, Today’s Predictions for Tomorrow’s Internet.