How to Protect Small Businesses with the NIST Cyber Security Framework

Use the NIST Framework to better understand, manage, and reduce your cybersecurity risks. Safeguard critical operations and service delivery to prioritize investments and maximize the impact of each dollar spent on cybersecurity.

This article explains how to protect small businesses with the NIST Cyber Security Framework. I’ll detail the 5 areas of the NIST Cyber Security Framework and how Waident is applying NIST to protect SMB clients from cyber threats.

What does it take for an SMB to achieve cyber security standards?

Dealing with cybersecurity is on nobody’s fun list. While there are a ton of moving parts that affect nearly all aspects of your business, it can be done—and much easier than you may think. I know because Waident has done it ourselves. We aligned all our policies and procedures with the industry-leading NIST cybersecurity standard framework. The Framework is based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it fosters communications among internal and external stakeholders by giving our clients and us a way to talk about risk in a business context. Most important, NIST gives us the framework and credentials to keep Waident and our clients secure, more resilient, and ahead of the coming compliance squeeze.

The Framework helps organizations better understand, manage, and reduce their cybersecurity risks. It helps determine which activities are most important to assure critical operations and service delivery so you prioritize investments and maximize the impact of each dollar spent on cybersecurity. By providing a common language to address cybersecurity risk management, it is especially helpful in communicating inside and outside the organization. That includes improving communications, awareness, and understanding between and among IT, planning, operating units, and executives, as well as, customers and suppliers.

 

 

Introduction

Step 1: Identifying Cyber Risks

Step 2: Protecting against Cyber Risks

Step 3: Detecting Cyber Risks

Step 4: Responding to Cyber Risks

Step 5: Recovering from Cyber Risks

 Conclusion

Get help implementing the NIST Cyber Security Framework

Patrick Giatomosso
Cyber Security Leader
Patrick is Waident’s cybersecurity leader and manages NIST and Compliance for both clients and Waident.  A tech at heart and businessman in mind, he focuses on improving clients’ security posture and enhancing Waident’s Helpdesk support.
Recent PostsEvents

Why Cybersecurity Standards are Important to SMBs

I’m often asked if cybersecurity standards are important to SMBs. You bet your sweet bippy! I’ve seen this story play out more and more the past several years:

One of our clients frantically contacts us because one of their customers wants to know

  1. if their company adheres to any security standard like SOC 2, NIST, ISO, PCI, HIPAA, GDPR, etc. and, if so,
  2. can they please have an overview of the associated cybersecurity policies?

Our client begins to panic because, while they had talked about doing something, they never got to it (even with our prompting and pushing). They put cybersecurity low on their priority list or, in some situations, chose not to follow any standard because they thought the risk was irrelevant to their business. Now, they find themselves, not a victim of a hack, but the sufferer of the business reality of losing a customer or prospect because they are not up to a security standard the market demands.

 

 2 Great Reasons to take Cyber Security Seriously

 1. The threats are real and expensive.

2. The story above illustrates that there is a business upside to compliance standards. Pragmatic business owners see IT as a means to an end. Their goals are simple: keep my people productive, keep the enterprise running, and keep valuable data safe. In other words, use IT to enable me to competitively serve clients and make money.

What do you think the reaction would be from a client if you could NOT answer their question right away and/or prove that you were not just blowing smoke?  Do you think they’d lose confidence in you? Do you think that they’d start questioning the depth and validity of other products and services you provide them? Do you think they want to put their own clients and their reputation at risk?

On the other hand, what reaction would you get if you provided a holistic philosophy and supporting model that outlined your approach to security in detail?  Would they be impressed or at least feel comfortable that you lived up to their high expectations of you? Wouldn’t you rather outshine your competition?  Compliance standards provide an opportunity for you to differentiate your firm’s care for customers, understanding of their needs, and your attention to detail.

I know that I want any edge I can get on my competitors.

 

“Cybersecurity is just not a tech challenge, solved only in acquiring a technical solution. It is a business issue that must be addressed comprehensively through people, processes, and technology. The NIST CSF provides a comprehensive and programmatic approach to bridge the organization’s businesses objectives with their security objectives, integrates with other industry security control standards, and is flexible so that any organization can adapt to best suit their needs.”

Abby Daniel, Amazon Web Services (AWS) Public Sector Manager for Business Development

 

 

Who is NIST – The Industry Standard for Cybersecurity

First, who is NIST? NIST is an acronym for the National Institute of Standards and Technology (NIST).

NIST, founded in 1901, is a non-regulatory federal agency within the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. You may have heard of NIST because one of its many programs include the annual Malcolm Baldrige National Quality Award which recognizes performance excellence and quality achievement.

 

 

What is the NIST Framework

The NIST framework has 3 central components. 1. Core, 2. Tiers, and 3. Profiles.

The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes. The Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous FunctionsIdentify, Protect, Detect, Respond, Recover. These Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.

 

 

 

 

 

Identify – Inventories the company’s systems, people, assets, data, and capabilities risks. Then, it structures the organization’s approach to managing cyber risks so it can prioritize its efforts, consistent with its risk management strategy and business needs.

Protect – Outlines safeguards that ensure you can deliver critical operations and service delivery while enabling you to limit the impact of a potential cybersecurity event.

Detect – Describes the activities and tools that identify the occurrence of a cybersecurity event.

Respond –  Includes the appropriate activities that address a detected cybersecurity incident and contain its impact.

Recover – Identifies appropriate activities to maintain resilience and restore any capabilities that were impaired due to a cybersecurity incident.

 

The Framework Implementation Tiers provide context on how an organization views cybersecurity risk management. The Tiers help organizations consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.

The Framework Profiles afford an opportunity to identify areas where existing processes may be strengthened or new processes implemented.  The Profiles, when paired with the Framework’s easy-to-understand language, strengthens communication throughout the organization.  The pairing of Framework Profiles with an implementation plan allows an organization to take full advantage of the Framework by enabling cost-effective prioritization and communication of improvement activities among organizational stakeholders, or for setting expectations with suppliers and partners.  The Profiles and associated implementation plans can be used to demonstrate due care to stakeholders like the customers mentioned in my opening comments.

The Framework is guidance. It should be customized by different sectors and individual organizations to best suit their risks, situations, and needs.

Let’s jump in and see how to protect small businesses with the NIST Cyber Security Framework.

 

Step 1: Identifying Cyber Risks in SMBs Using the NIST Framework

Frameworks are great for consultant presentations, but are they relevant to how work actually gets done in the real world? No doubt I have seen my share of boil-the-ocean IT models. I, like most of the pragmatic business leaders of our clients, don’t have time for them. That is why I like identifying cyber risks in SMBs using the NIST Framework. It provides a sophisticated but practical approach for SMBs to identify and manage cyber risks in a way that works for each organization’s uniqueness.

In my last post, I shared an overview of the National Institute for Standards and Technology Cyber Security Framework (NIST) and the 5 “Functions in the model. This time, I want to demonstrate how we use the NIST model to more easily and quickly get our clients’ businesses into a stronger security posture one function or step at a time.  These functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The first function in the model is Identify.

 

In the NIST Identify step, we:

1. Inventory the company’s systems, people, assets, data, and capabilities, then,

2. Structure the organization’s approach to managing cyber risks so it can prioritize its efforts, consistent with its risk management strategy and business needs.

In other words, we catalog everything that could be attacked or go wrong and then prioritize them in order to address them.

 

Inventory the company’s systems, people, assets, data, and capabilities

Our Inventory process combines a simple, straight-forward questionnaire with 3 technology tools. The questionnaire explores and challenges you to think about your current security-related policies, documentation, and procedures. The technology tools help us identify areas of risk in your technology stack along with seen and unseen interdependencies between your technology, process, and human beings that create vulnerabilities and operational threats. We involve everyone in the business that we can in the process because people are the root of good cybersecurity.

We meet with various business leaders to discuss applications, third-party platforms, the flow of information, and their concerns. We interview finance, the office manager, operations, and key users who have the working knowledge required to create a holistic picture of the technology and operational environment. The process pulls all of the key players together for 1 to 2 hours of discussion. Then the technology tools are loaded, run, and removed within hours. The whole process takes about 8 hours total. It is designed to have little to no impact on your team’s productivity and produces a robust catalog of potential threats.

Most of our clients suffer from some inertia beforehand because they fear that the process will be time-consuming, difficult, and could expose shortcomings. They are surprised at how quickly and easily they can collect relevant details and feel relief from getting their arms around a comprehensive set of data they can use to create a plan to manage risk. Our clients typically achieve a deeper understanding of their business and the risks they never knew were threatening it. Many clients say, “I now know what I didn’t know.” They realize what they thought were common and reasonable business practices are really security vulnerabilities. The inventory allows them to prioritize and correct them and they are relieved to learn how easily the risk can be easily addressed.

In one case, we had a large client that had an old system that was rarely used but still in production (you know the one where a lone ranger in the company has to keep a system alive just in case…). Our analysis found that the old system had not been updated in years and allowed a security flaw in one of its modules to be compromised MONTHS before we arrived. Once we identified the hack, we fixed it with a simple update and then augmented the maintenance procedures to prevent an old system from either being neglected or remaining in production in the first place.

 

Structuring the organization’s approach to managing cyber risks

Unfortunately, most SMB organizations do not have robust risk management plans, if they have one at all. Using the inventory data above allows us to meet the client where his/her organization is and create the appropriate plan and solutions.

If a client does not have a risk management plan we jumpstart the process using the NIST Framework’s best practices and templates. If they do have a risk plan in place, we build into its existing structure to make it as robust as possible. When it comes time to prioritize the risks, we ask the client to prioritize them. Each business and its leaders define risk in many different ways (e.g. probability, financial repercussions, effort to address, investment costs, time, etc.). One person’s greatest fear is another’s greatest opportunity. We help guide and quantify the risk so the business can make an educated decision.

Moving from a prioritized list to actions is the easy part. Much of what we find can be addressed immediately with no user impact (e.g. a missing update or new version of firmware). The remaining items that have a business impact (cost, end-user disruption, etc.) get discussed, and we map out a plan for addressing them.  Then we create a project plan or a series of helpdesk tickets to resolve each item quickly. We have clients on the simple end of the risk continuum that require simple risk management and solutions to maintain a secure environment, and clients on the opposite end that have complex businesses and environments.  We meet with more complex clients regularly about security because they have checkoff sheets and processes that need to be followed, documented, and approved.

Identifying cyber risks in SMBs using the NIST Framework

SMBs must identify risks before anything can be done to mitigate them. A systematic approach like NIST is a viable way to ensure that there is a stable and robust cybersecurity posture. It all starts with the Identify function. The process may seem daunting at first glance, but it’s really not if you have the correct process, people, and support in place to execute it.

Are you truly comfortable with asking your IT people how they handle security and getting an answer like, “We do all kinds of stuff!”? Pragmatic business leaders are not. By identifying where your risks are, you can have a MEANINGFUL business-to-IT discussion about your risks. From there, you are in a position to move forward and determine the right plan to protect your people, systems, and data.

Step 2: Protecting SMBs from Cyber Risks

After SMBs Identify risks in the first step of the NIST Framework, the second step defines the process to Protect your assets. We like to refer to this NIST step as making the “security sandwich.” We like this metaphor because we incorporate layers of protection to shield data and systems from hackers. When I say layers, I mean layers; lots of layers. The layers create redundancy and backstops because there is NO singular protection that can address all security threats. The more layers on your security sandwich, the more robust the protection.

 

In the NIST Protect step, we:

1. Determine options for protecting critical data, systems, and people, then,

2. Implement protections and leverage best practices so you can better sleep at night

Simply put, we outline and implement safeguards that ensure you can maintain critical operations, continue service delivery, and limit the impact of a potential cybersecurity event.

 

Determine options for protecting critical data, systems, and people

If the threats and mandates are not already overwhelming and confusing enough, there are literally thousands of options available for an SMB to protect its environment. These solutions can lead to vastly different cost structures and, more important, impact on your systems and employees. It can be a daunting task for any business to determine the best approach that protects your critical systems, aligns with your risk management strategy, and remains within your budget constraints. We’ve learned that a layer of protection is only good if it is properly used, remains effective, and does not get in the way of your business.

Simple additions to protect SMBs from cyber risk

Beyond the basics of good password management, we add protective layers to email (spam filtering, anti-phishing, anti-virus/spyware, encryption, and sandboxing) as a multifaceted layer to your security sandwich. Also, the standard desktop and server anti-virus/spyware/malware applications installed can be upgraded to much more robust and effective protection. Along with managing the firewall, protecting logins with MFA, and security awareness training for your entire team, you can create a multilayer, robust security sandwich rather quickly.

Some SMB’s will need more advanced security protections because they are regulated or, as we often see, held to a high-security standard by their own clients. We add more layers to the sandwich in NIST step 3, Detection, which I will cover in my next post. Let’s look at what it takes to effectively implement these Protection layers.

 

Implement protections and leveraging best practices

As you can imagine, implementation is critical. “Cheap-and easy-for-IT-to-install” technologies are often layered on without understanding the technology’s interdependence with other systems and, more important, impact on the business. Your protection will inevitably fail if people reject it because they don’t understand its purpose or it gets in their way of doing their jobs.

Our Resilient IT approach begins with a people-first mindset. Implementing cybersecurity protections is no exception. We balance the need for security with the need to get real work done efficiently and effectively. If you want to achieve this balance, your organization must invest the time and effort to ensure that every cybersecurity protection installed provides the maximum defense with minimal unfavorable impact, if any at all.

Given the ever-evolving threats, cybersecurity is a dynamic and communal discipline.  It is critical to work with enterprise-level partners and tools that have a long track record of being successful. Big user networks allow organizations to understand the latest threats and exploit the collective wisdom of an active and dogged community. We take advantage of the combined knowledge and best practices of our partner platforms to ensure each tool is set up properly the first time and finely tuned as threats evolve.

After an SMB has identified its risks, it’s time to mitigate them with the proper tools, practices, and support. Adding tools for tool sake is not an effective approach. Such an approach can add unnecessary costs and burdens to the business. The most effective approach to protecting SMBs from cyber threats involves a people-first mindset, a layered tool approach, a thorough understanding of the risk, and reward for each situation.

 

Step 3: Detecting Cyber Risks

You have been following the NIST framework and have successfully identified the areas of risk and implemented protections against them. We’re now at the stage to ensure that we are able to detect any breaches that make it over the proverbial “wall.” This is a CRITICAL step that many companies unfortunately avoid because they believe they’ve done everything needed to mitigate risks in the Protect step. The fact that the Detect step can be complex and expensive may stifle risk management momentum. Those who understand risk know how important the Detection step is because hackers are energized by the game of security cat and mouse. How do you know if a hacker has learned to circumvent a protection layer or any employee has gone rogue?

According to IBM, the average time for a company to discover a breach is 206 days. That is nearly 7 months of a hacker rampaging your systems while you blissfully go about your business. If that doesn’t send a cold shiver down your spine, I don’t know what will!

You will not know if you have been breached unless you are actively doing something to detect them.  The Detection layer is your canary in the coal mine.

 

In the NIST Detect step, SMBs:

1. Determine detection options for critical systems,

2. Implement appropriate detection along with the necessary procedures and reporting

 

Determine detection options for critical systems

Most companies bypass the Detection step of NIST and, if breached, allow hackers to burrow in companies’ systems for months and sometimes years. Why? Simple, Detection is demanding. It’s not as easy as installing anti-virus software that can be a set-it-and-forget-it protection level solution.  Detection is laborious. The way to detect if a hacker is in your systems is to capture the hack via log files. I’m talking about many systems, each having respective log files, and each system returning thousands of actions that need to be reviewed. It is not uncommon to have well over 100,000 lines of log data to review every day. Much, if not all of the log data, is super techy and there is a level of expertise that is needed to understand them. Can you say data overload?

Firms generally have 2 paths they can take to monitor possible breaches.

 

Labor-intensive cutting-edge technology

This can be expensive. There are enterprise systems that can gather all the log files together and use AI and machine learning to review them in real-time looking for anomalies and hacker activity. These systems can filter out the noise to a very high degree and send only the suspect activity to someone on the security team to review. Now, instead of having to look over 100,000 lines of results, you may only need to look at perhaps 100 lines of the highest risk activity detected. This is great for sure, but it can also be very expensive. Luckily the costs are going down and this type of system detection is becoming more mainstream.

Simple technology layered together

An easier and more cost-effective way to achieve some level of detection is by implementing layers of smaller systems that add up to a good security posture. For example, a company can scan the Dark Web for any of your data and user login accounts being sold. One can implement a robust EDR solution that monitors computer activity and immediately blocks anything suspicious and logs it for review. Some companies roll out a desktop mitigation platform that allows them to monitor, detect, and control all activity at the individual device level.

 

Implement appropriate detection along with the necessary procedures and reporting

Once you determine your approach to detecting hackers, it’s time to roll it out to your organization. Luckily, this is the easier part of the equation and consists of establishing the policies and procedures for reviewing the data. No matter the path you choose, there is very little impact on the users or any business function. Detection is all on the backend and the heavy lifting is done by IT and your security team. If you choose to go the simple layers of the technology route, a user may notice something is up if the installed detection platform detects something bad. The program will immediately stop and the program suddenly closes on them. This is a good thing because it limits and starts isolating the breach. 

The more challenging aspect of labor-intensive detection is needing someone or something to analyze the reams of information. We leverage systems with robust artificial intelligence and machine learning to greatly reduce the noise so our security techs only need to spend time reviewing actual possible risks. Along with the data, we leverage the NIST oriented policies and procedures we have to make sure that the outcome is as strong as the data inflow. Without this piece, you could have an amazing platform gathering great log data, but never know if a hacker is in your network stealing your data.

Detection is a critical step for maintaining your security. Without it, you will know too late if you have been hacked. Over time the detection systems will be integrated into the protection systems which will make life easier for everyone. In the meantime, it is time to take the section layers of your security sandwich seriously and do something about it. Don’t you want to know if a hacker is in your data? I know I do…

Step 4: Responding to Cyber Risks

Prudent business leaders and risk managers understand that identifying, protecting against, and detecting risks are necessary, albeit fallible, actions to mitigate a complex world full of risks. As we have seen from prior posts, cost, time, and resource tradeoffs exist in every business, hackers are creative, and humans are, well, human. landscapes of risks. That is why step 4 of the NIST framework, Respond, is crucial. A risk may make it through your cybersecurity layers “sandwich.” Whether or not your people stay productive, the enterprise stays up and running, and your data stays safe is a result of an effective response. Respond is often communicated as the “easy” part of cybersecurity. After all, you already have IT support in place and they’ll be there to “respond” and address any security incident, right?

Don’t bet on it.

Your current IT  will definitely respond, but don’t assume that they are prepared to do all of the right things. Every cybersecurity event is unique. Entering an event with a cavalier “been there, done that” attitude can lead to overconfidence and prematurely applying a fix that makes the situation worse. We have seen this happen all too often. For example, one company was hit with a ransomware outbreak. The IT person started to fix things but then realized that the backups had been failing for months and the removal of the ransomware broke the server. The company’s systems went down and the data was lost.

The Response must be a thoughtful and proper response based on the specific threat and actions laid out in a proactive response plan.

 

In the NIST Respond step, we:

1. Review the Response plan with the appropriate policies and procedures to ensure a prompt response to a cybersecurity incident.

2. Involve the Technical and Strategy teams to analyze the situation, communicate, and eliminate the threat.

Review the Response plan

The IT team you are expecting to respond to a cyber incident needs to have a plan in place. No plan usually means panic, fire drill, and the IT cowboy mentality of just trying things and hope it works. Not a good place to be when you really need the help right now and to get things under control and fixed right away. You want to know, before you need it,  what this will look like to get the comfort that your IT team is prepared to respond when needed.

The first part of our plan is to determine the right people on the team to address the incident. We have specifics roles to assign – communication, technical, and client management. Having the same person place all 3 roles is a fail. I’m sure you been there.  Communication is often more important than fixing the problem.  The assigned technician is immediately working on the problem. This is done in a systematic manner and it always involves the impact on the users. Your client manager will be notified of the situation and will be involved to ensure the communication is happening and the technical side is being handled as best possible.

 

Involve the Technical and Strategy teams to analyze the situation, communicate, and mitigate the risk

You have had a cyber incident and now you need your IT team to get involved and respond right away. The Waident team has a systemic approach for troubleshooting and that is a part of our critical indecent response plan for any cybersecurity breach. The first thing we do is communicate. We communicate internally, with the client, and with 3rd parties is needed. While the communication is happening, in parallel the assigned technician(s) are analyzing the situation to come up with a plan to mitigate and fix the incident. The plan is shared with the internal team and with the client. While the risk is being mitigated the communication continues throughout until the situation has been resolved. After confirming on the technology side that everything is back to normal we confirm with the client and users that everything is working for them as they expect and need. At that point, we can claim success.

We do not leave it at that though. We want to know all of the details of how the cyber breach happened, the root cause, and how it could be prevented in the future. Also, ensure that the hackers are completely out of the network and not hiding someplace. This process is done in the Recover phase of the NIST framework.

 

Conclusion: Responding to Cyber Risks in SMBs Using the NIST Framework

You can “respond” to a cyber incident and you can Respond to a cybersecurity incident. The difference being IT cowboy or IT team with a plan. You have put layers of cybersecurity protection and detection in place but inevitably there is a security breach that could not be blocked. At that point, you need to respond to the incident and do it in a very crisp manner before the incident escalates and/or causes extended downtime. You really need an IT team with a plan.

Prudent business leaders and risk managers understand that identifying, protecting against, and detecting risks are necessary, albeit fallible, actions to mitigate a complex world full of risks. As we have seen from prior posts, cost, time, and resource tradeoffs exist in every business, hackers are creative, and humans are, well, human. landscapes of risks. That is why step 4 of the NIST framework, Respond, is crucial. A risk may make it through your cybersecurity layers “sandwich.” Whether or not your people stay productive, the enterprise stays up and running, and your data stays safe is a result of an effective response. Respond is often communicated as the “easy” part of cybersecurity. After all, you already have IT support in place and they’ll be there to “respond” and address any security incident, right?

Don’t bet on it.

Your current IT  will definitely respond, but don’t assume that they are prepared to do all of the right things. Every cybersecurity event is unique. Entering an event with a cavalier “been there, done that” attitude can lead to overconfidence and prematurely applying a fix that makes the situation worse. We have seen this happen all too often. For example, one company was hit with a ransomware outbreak. The IT person started to fix things but then realized that the backups had been failing for months and the removal of the ransomware broke the server. The company’s systems went down and the data was lost.

The Response must be a thoughtful and proper response based on the specific threat and actions laid out in a proactive response plan.

Step 5: Recovering from Cyber Risks

A ransomware attack happens every 11 seconds. In 40% of companies that get hacked, the same organization is hit again within 9 months. I don’t share that to scare you (Although, it should get your attention.) It happens because companies think they have addressed and controlled a hack by isolating it in the Response step. Statistics show that most companies begin operating as if  “We’re back to normal.” before they have fully identified the extent of a breach and closed the hole that allowed it. If you don’t want to be part of the 40% who did not fully recover from the cybersecurity incident and left themselves vulnerable to a second attack, recover from cyber risks using the NIST Framework.

SMBs can use the NIST Recover function to identify appropriate activities to maintain resilience and restore any capabilities that were impaired due to a cybersecurity incident.

In the NIST Recover step, we:

1. Recovery Planning – Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity incidents.

2. Forensics – Make sure the bad actors are definitely removed and blocked from your systems.

 

 1. Recovery Planning

After a cybersecurity incident, it’s critical to know which systems to focus recovery efforts on and where to look for vulnerabilities. This requires software platforms that dig in and ferret out security risks and capable technicians to drill into the risks and lock them up. Having your cybersecurity team do this after-action review and cleanup puts you in a much better place. Sadly this step is often skipped which is why the hackers retain access and do their thing months later.

 

 2. Forensics

Post-security breach forensics ensures the damage has been stopped, locates its root cause in order to fix it, and provides the insights to learn from it. On the most basic level, after the security event has been recovered, you need to have a team review the logs and systems to ensure the breach has been cleared everywhere and there are no back doors for the hackers to use later. For example, after a user has their email breached and the hacker attempts to use the account to complete a wire transfer, changing the user’s password and calling it a day is not a sufficient response. IT must examine other email accounts to identify unusual activity. Were any new accounts, or worse, administrative users, created during that time? Were any new rules created in the Outlook account that need to be removed? Could multi-factor authentication prevented the breach, etc.? You can not determine the proper Recovery actions without a thorough assessment of the incident on all levels, including technology, security tools, procedures, and human error.

If your company or industry is regulated, you will probably be required to do a formal forensic procedure with certified results. If you are not regulated but want to invest to make sure the cybercriminals are not in your systems, you may want to consider this step.

No matter how much you protect yourself, you can still get hacked. It’s great to respond quickly and clean things up, but make sure that you do not celebrate and move on too soon.

Without the Recover step in the NIST process, you can never really know if you have addressed the cybersecurity incident or not. Everything may feel “back to normal” but that may very well be short-lived. After all of the angst, disruption, and business loss you had after a security breach, isn’t it well worth the effort to take the additional step and ensure your recovery is complete?

Answer these final questions before you celebrate and get back to business:

  • Are you sure you’re IT is secure and there is no lingering threat?
  • Has the breach’s damage been stopped?
  • Have we located its root cause in order to fix it?
  • Do you know what you don’t know?
  • What insights have we gained to make our IT more resilient?t.
  • Does some regulatory body require a compliance review of your breach to get you back to business?

Conclusion: How to protect small businesses with the NIST Cyber Security Framework

Working Together to Implement NIST

Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework to achieve positive outcomes will vary. The Framework is not implemented as an un-customized checklist or a one-size-fits-all approach for all critical infrastructure organizations.

Because the Framework is outcome-driven and does not mandate how an organization must achieve those outcomes, it enables scalability.  A small organization with a low cybersecurity budget, or a large corporation with a big budget, are able to approach the outcome in a way that is feasible for them. It is this flexibility that allows the Framework to be used by organizations that are just getting started in establishing a cybersecurity program, while also providing value to organizations with mature programs.

NIST equips Waident with the tools to help our clients implement a host of cybersecurity standards in a way we could not in the past.  We can now manage the entire process and provide the policies to customize for your business. You will quickly be more secure and have the reports and documentation that lets your customers know that you have their “cybersecurity backs.”

We do the heavy lifting, so you don’t need to, which makes us happy because security is becoming a big deal to all businesses, big and small.

Related

Get help putting NIST to work in your SMB

If you want to be secure and compliant, we can help you put the NIST Cyber Security Framework in place in your SMB.

Why Do Clients Choose Waident?

Here are 100 Reasons Why Our Clients Chose Waident Over Other MSPs.