COMMENTARY
The National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 could not have arrived at a more opportune time. Ransomware has already had a devastating impact on businesses and institutions in all industries over the last year. 58% of respondents in a recent survey reported six or more ransomware incidents in the previous 12 months. This is in addition to other concerns such as data breaches, generative AI, insider threats and more. It proves that cybersecurity must be more accessible.
Historically, the industry’s guidance on how to prevent these attacks has been aimed at larger enterprises or critical infrastructure in high-risk sectors. Cybersecurity is a problem for “everyone”, and many organizations have begun to realize that cyber-risks can be just as damaging as other business risks. The same survey found the average downtime for an incident is 56 hours. A survey conducted by ABB 2023 estimated the median cost of downtime to be $125,000 per hour. This downtime would cost $7,000,000 per incident.
NIST’s CSF v2.0, released in February, is an important resource that can help organizations of all sizes avoid these costs by reexamining security initiatives, fending against evolving threats, or preparing for today’s innovations using a more guided method. Although it is only a framework, three key changes that all organizations should make this year can be informed by it.
Three critical changes everyone should make in the coming year
1. Building a New Approach for Securing Infrastructure
It may seem obvious to secure infrastructure: Use the right tools to detect and defend against security incidents, as well as to respond to them. Governance is an area that organizations often overlook, but it’s also one of the most important additions to NIST-CSF 2.0.
A strong governance strategy identifies all concerns about cybersecurity, including those of people, processes, and organizations. This includes the creation of a cybersecurity policy and strategy, the oversight for the strategy, the controls for the supply chain and more.
This is particularly important for smaller businesses that plan to scale up. A plan to react quickly and efficiently to a possible security breach can help reduce the capital losses that are inevitable: Net incomes, quarterly earnings and stock prices all fall significantly after data breaches. A good plan can reduce these effects.
2. Investing for specific business needs
Depending on the organization’s specific business needs, it may decide to handle risk one way or another. NIST CSF 2.0 helps organizations determine the areas and levels of risks, and then they can choose the best solutions. Many organizations may find this overwhelming, especially since solution providers are constantly innovating and developing more tools.
The industry has a universal truth: security operations center (SOC), analysts are overworked and under-resourced. AI-based and ML solutions are a great way to combat this industry burnout and build resilience in the business against threats. Tools that improve visibility are also essential to further secure the attack surface. Despite investments in tools such as vulnerability management, endpoint detector and response (EDR), security information and event (SIEM), and others, organizations still have blind spots on the network, cloud and other areas.
3. Developing a Security Hygiene Approach for the Whole Organization
Although the right tools are important, “Protect”, a key part of NIST CSF v2.0, focuses on awareness and training, as well as identity and access management, to manage risk. The framework identifies a number of risk factors but cyber hygiene is an important part of cybersecurity that is often overlooked.
It is a tried and tested method that attackers use time and again. The costs can add up. Midsize organizations are lagging behind smaller organizations in terms of cyber hygiene. One successful attack is all it takes to financially cripple a small business. In 2023, respondents paid an average ransom of $2.5 million. Generative AI has made social engineering attacks even easier.
Take advantage of Industry Resources
NIST’s CSF is not a one-size-fits-all solution. It provides important guidelines but is intended to be used with other frameworks, guidance and tools. It can be tailored to fit the needs of an organization as it grows and changes.
The framework, which is designed to be used by organizations of all sizes, is a great equalizer. It allows smaller organizations to keep up with the industry’s rapid pace of innovation. This includes understanding the threat actors’ advancements and the new tools for defending against them. Both are essential to building long-term business resilience.