Where do you start with managing cybersecurity risk for your organisation? It’s a question organisations of all sizes are grappling with and one Managed Service Providers need to answer on behalf of clients.
Australia and New Zealand are currently lagging behind many countries from a cybersecurity standards and regulatory perspective. So First Focus has chosen the NIST Cybersecurity Framework v1.1 as our blueprint for cybersecurity.
The National Institute of Standards and Technology (NIST) is a US agency that oversees standards across many industries, including IT. The NIST Cybersecurity Framework is embedded in the US and has been adopted as a standard by countries across Europe, Asia, and the Americas.
Five functions (Identify, Protect, Detect, Respond, and Recover) make up the core framework, within which there are 23 categories.
More details on the NIST Cybersecurity Framework and the 23 categories can be found here.
NIST describes the framework as a consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks. Importantly it:
First Focus adopted NIST because few organisations are fully prepared for the current level of cyber-threats. Our Security Assessment process has been rewritten and extended following the NIST principles.
Marriott announced in November 2018 that the details of 500 million customers had been compromised, which dropped their share price by over 5%. Less public are the many breaches that occur to smaller and medium-sized businesses.
The impact on organisations that experience cybersecurity failures can be enormous and sustained. Some of the results from a recent survey were astounding:
The NIST framework is not prescriptive. There is no one-size approach to cybersecurity and different organisations will have their own appetite for risk. However, we continue to see too many avoidable cybersecurity incidents across the industry. Offsetting cybersecurity risk through education, awareness and preventative actions has never been more important.
According to Gartner, spending on IT security as a percentage of the average total IT budget has increased from 7% in the mid-2000s to just over 10% today. Cybersecurity costs are expected to accelerate further, increasing by a similar amount again by 2022.
Growth in IT security spending has been driven by the adoption of increasingly sophisticated counter-measures, which include Multi-Factor Authentication (MFA), disk encryption and staff security training. Previously, a small or medium business with a firewall and anti-virus would have been considered secure. Now best practice modern security solutions include access to newer services like:
Adopting the NIST framework can help your organisation assess your risk, identify any security gaps and determine the most cost-effective strategy for your organisation.