You Should Adopt a Cyber Security Framework – Here’s Why
Today, cyber attacks and cyber security breaches are constantly happening around the world. These attacks are also continuously evolving, becoming more sophisticated and unforeseen. This makes it difficult for organisations to proactively prevent phising, malware and ransomware attacks. So what can your organisation do to become resilient to cyber threats? A suitable cyber security framework and cyber security policies and procedures can reinforce your organisation’s IT security.
Cyber Security Framework
A growing number of organisations are coming to the realisation that their extensive investment in cyber security technologies has not provided the resilience to cyber attacks that they were expecting and are looking for answers as to why they are still susceptible to phishing, ransomware and malware. The answer to this susceptibility conundrum lies in the understanding and adoption of a Cyber Security Framework (CSF). This doesn’t mean that blindly adopting a CSF will mean an end to all attacks. It will however provide a structured approach to tackling the problem with measurable results.
CSF’s detail global industry best practice and have been designed to provide a reference for those developing and implementing internal cyber security controls. This ensures that organisations are able to benefit from the successes and failures of the cyber security community at large. As with all things cyber, nothing is ever simple. While you will probably agree that adopting a CSF is the way to go, the challenge lies in deciding which CSF is right for your organisation. Listed below in alphabetical order are some of the most common Cyber Security Frameworks:
- The Center for Internet Security Critical Security Controls
- Cyber Essentials/Cyber Essentials Plus
- National Institute of Standards and Technology (N.I.S.T.)
- Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing
The above list is not all inclusive and excludes licensed or paid for resources, e.g. ISO/IEC.
How to choose a CSF
There are a number of factors to consider for the successful adoption of a CSF. It is therefore important to choose carefully and document your evaluation process for each framework. Key points to consider are:
- What regulatory compliance is applicable to my organisation and will the CSF support it? Examples are: EU NIS Directive & GDPR.
- Is the framework intuitive?
- Are easy to understand guides and resources available (e.g: step-by-step guides, example worksheets and spreadsheets).
- Is the framework applicable to the organisation’s geographical location? UK vs USA.
- If an organisation wishes to obtain Cyber Insurance is a CSF applicable and if so which one. Here are two examples:
- IASME Consortium – Cyber Essentials:
- The Federal Trade Commission in conjunction with the National Association of Insurance Commissioners (NAIC) – NIST:
In addition to the above, the CSF needs to support effective C-level communication and visibility of the present cyber posture of the organisation as well as progress made over time in achieving cyber resilience.
The Future and Next Steps
In a 2017 survey of 319 IT security decision makers by Dimensional Research on behalf of The Center for Internet Security and Tenable Network Security, respondents identified a number of obstacles to cybersecurity framework implementation, including lack of trained staff (57%), inadequate budget (39%), lack of prioritisation (24%) and insufficient management support. In 2020, the drive of the Fourth Industrial Revolution towards universal connectivity and digitalisation will continue. New technologies and new users will continue to reshape cyber-risks in 2020. The emergence of 5G networks will result in substantially broader access for both devices and people. Greater and more convenient broadband at higher speeds will also encourage the development and deployment of everything from connected devices and global computing to virtual and augmented reality and artificial intelligence. All of these technological advancements and network developments mean that even more data will be gathered than ever before.
In January 2020, the World Economic Forum noted that risks related to cyber security and data governance are now the top concerns of chief audit executives and corporate boards. This new normal will likely cause business to reach a decision-making point in 2020: either uncertainty around cyber security will begin to impact business performance or CEO’s and business leaders will develop ways of managing these risks. Those who can achieve growth will view cybersecurity as necessary and equal to other fundamental business concerns, such as finance and HR.
By assessing your organisation’s cyber security risk and implementing company-wide changes that improve overall security behaviour, it is possible to protect your business from data breaches. Want to learn more about cyber security frameworks and how your organisation can benefit from implementing proper procedures like these? Elasticito can help you establish, adapt and implement policies and procedures best suited to your needs. Talk to the Elasticito team to find your solution.