Reduce Cybersecurity Risk: Why you should adopt NIST

Where do you start with managing cybersecurity risk for your organisation? It’s a question organisations of all sizes are grappling with and one Managed Service Providers need to answer on behalf of clients.

Australia and New Zealand are currently lagging behind many countries from a cybersecurity standards and regulatory perspective. So First Focus has chosen the NIST Cybersecurity Framework v1.1 as our blueprint for cybersecurity.

Cybersecurity Framework

The National Institute of Standards and Technology (NIST) is a US agency that oversees standards across many industries, including IT. The NIST Cybersecurity Framework is embedded in the US and has been adopted as a standard by countries across Europe, Asia, and the Americas.

Five functions (Identify, Protect, Detect, Respond, and Recover) make up the core framework, within which there are 23 categories.

More details on the NIST Cybersecurity Framework and the 23 categories can be found here.

NIST describes the framework as a consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks. Importantly it:

• is relatively concise and easy to understand.
• is designed for organisations of any size, in any sector.
• maps to other standards (e.g. ISO 27001, PCI, GS007).
• is funded by the US government and has been adopted by many other countries.

First Focus adopted NIST because few organisations are fully prepared for the current level of cyber-threats. Our Security Assessment process has been rewritten and extended following the NIST principles.

Impact of Cybersecurity Failure

Marriott announced in November 2018 that the details of 500 million customers had been compromised, which dropped their share price by over 5%. Less public are the many breaches that occur to smaller and medium-sized businesses.

The impact on organisations that experience cybersecurity failures can be enormous and sustained. Some of the results from a recent survey were astounding:

• 64% of customers will end their customer relationship after they are affected by a breach
• 41% of small and medium businesses are unaware of the risks accrued with human error
• Only 22% of small and medium businesses are willing to improve their security measures from the previous year

Weighing up the Cost/Benefit

The NIST framework is not prescriptive. There is no one-size approach to cybersecurity and different organisations will have their own appetite for risk. However, we continue to see too many avoidable cybersecurity incidents across the industry. Offsetting cybersecurity risk through education, awareness and preventative actions has never been more important.

According to Gartner, spending on IT security as a percentage of the average total IT budget has increased from 7% in the mid-2000s to just over 10% today. Cybersecurity costs are expected to accelerate further, increasing by a similar amount again by 2022.

Growth in IT security spending has been driven by the adoption of increasingly sophisticated counter-measures, which include Multi-Factor Authentication (MFA), disk encryption and staff security training. Previously, a small or medium business with a firewall and anti-virus would have been considered secure. Now best practice modern security solutions include access to newer services like:

• Dark web monitoring
• Intelligent threat detection
• Security Incident Event Management (SIEM)
• Security Operations Centre (SOC)

Adopting the NIST framework can help your organisation assess your risk, identify any security gaps and determine the most cost-effective strategy for your organisation.