Where do you start with managing cybersecurity risk for your organisation? It’s a question organisations of all sizes are grappling with and one Managed Service Providers need to answer on behalf of clients.
Australia and New Zealand are currently lagging behind many countries from a cybersecurity standards and regulatory perspective. So First Focus have chosen the NIST Cybersecurity Framework v1.1 as our blueprint for cybersecurity.
The National Institute of Standards and Technology (NIST) is a US agency that oversees standards across many industries, including IT. The NIST Cybersecurity Framework is embedded in the US and has been adopted as a standard by countries across Europe, Asia and the Americas.
Five functions (Identify, Protect, Detect, Respond, and Recover) make up the core framework, within which there are 23 categories. More details on the NIST Cybersecurity Framework and the 23 categories can be found here.
NIST describes the framework as a consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures and processes to cost-effectively reduce cyber risks. Importantly it:
• is relatively concise and easy to understand.
• is designed for organisations of any size, in any sector.
• maps to other standards (e.g. ISO 27001, PCI, GS007).
• is funded by the US government and has been adopted by many other countries.
First Focus have adopted NIST because few organisations are fully prepared for the current level of cyber-threats, and a review of our methodology, using best-practice guidelines, was prudent. Our Security Assessment process has since been rewritten and extended following the NIST principles.
Impact of Cybersecurity failure
Marriott announced in November 2018 that the details of 500 million customers had been compromised, which dropped their share price by over 5%. Less public are the many breaches that occur to smaller and medium sized businesses.
The impact on organisations that experience cybersecurity failures can be enormous and sustained. Some of the results from a recent survey were astounding:
• 64% of customers will end their customer relationship after they are affected by a breach
• 41% of small and medium businesses are unaware of the risks accrued with human error
• Only 22% of small and medium businesses are willing to improve their security measures from the previous year
Weighing up the cost/benefit
The NIST framework is not prescriptive. There is no one-size approach to cybersecurity and different organisations will have their own appetite for risk. However, we continue to see too many avoidable cybersecurity incidents across the industry. Offsetting cybersecurity risk through education, awareness and preventative actions has never been more important.
According to Gartner, spending on IT security as a percentage of the average total IT budget has increased from 7% in the mid-2000’s to just over 10% today. Cybersecurity costs are expected to accelerate further, increasing by a similar amount again by 2022.
Growth in IT security spending has been driven by the adoption of increasingly sophisticated counter-measures, which include Multi-Factor Authentication (MFA), disk encryption and staff security training. Previously, a small or medium business with a firewall and anti-virus would have been considered secure. Now best practise modern security solutions include access to newer services like:
• Dark web monitoring
• Intelligent threat detection
• Security Incident Event Management (SIEM)
• Security Operations Centre (SOC)
Adopting the NIST framework can help your organisation assess your risk, identify any security gaps and determine the most cost-effective strategy for your organisation.