Keeping security integrated within your organization is one of the biggest challenges I see when assessing office networks.
The reason?
Without a framework to help guide your IT and your user base, you’re stuck with a hobble- together mish mash of practices that might not be doing much to keep your organization secure and compliant.
Because cybersecurity has been one of the biggest concerns in 2018, I want to walk through some simple steps to integrate the National Institute of Standards (NIST) cybersecurity framework—the golden standard for cybersecurity.
The content of the NIST Cybersecurity Framework (CSF) is freely available for all, so I’m not going into detail on the specifics here. Instead, I’d rather lay out some tips on how to make cybersecurity a reality for your office.
5 Steps to Turn the NIST Cybersecurity Framework into Reality
- Set Your Target Goals
Before you even think about implementing security, you need to take a step back and think about why your organization critically needs security. You probably want to protect people—your staff, clients and donors from harm. You also wish to ensure that your organization is healthy long term.
The first hurdle that many organizations first confront when putting together a cybersecurity plan is recognizing where your acceptable risk tolerances lie. I often see a complete disconnect between upper management and those implementing IT solutions here.
What you really need to do is draft up an agreement among everyone that clearly acknowledges what your tolerance is—set up a budget and high priorities for your office’s security. Define what information is important to your business continuity and what information is sensitive if breached. Determine which departments are most at risk during a data breach or ransomware attack and focus your resources on those that pose the biggest threats.
Consider starting with a single department within your organization as a pilot program. Determine what works within your security plan and what doesn’t. Identify any missing gaps that you originally didn’t consider and devise a strategy of best practices that fit you. If you go ahead and implement cybersecurity without a plan and without following some sort of trial and error testing, you likely are putting yourself into a black box of simply hoping everything is okay (but not really knowing what works).
Through the trial and error process, you’ll gain a better understanding of what your organization-wide solutions will be and can grasp a more accurate estimate of how much cost will come with those solutions.
Profile your organization’s needs.
Next, dive a bit deeper to tailor the framework for your office’s needs. Consider NIST’s different tiers for implementation. By defining a profile, you’ll help your organization not only define a risk management process, but also will be able to start seeing how to implement such a process and get buy in from your team. The tier system helps you identify your organization’s cybersecurity maturity and will help you understand where you will want to invest time and resources.
Tier 1 – Your organization does NOT understand your security needs. You are inconsistent with policies and are reactive to security threats (i.e., you only fix things when it’s too late).
Tier 2 – Your organization understands its risks, but doesn’t have a plan to improve.
Tier 3 – Your organization has implemented a cybersecurity standard framework and has policies in place consistent to that framework.
Tier 4 – Your organization is proactively protecting against threats, detecting those threats and predicting security issues that may become threats in the future.
Simply put, the higher the tier, the better off you are. The most effective cybersecurity implementations not only focus on security issues, but how your specific organization works—accommodating and devising strategies to fit your specific environment.
- Asses your current position
Time to conduct a detailed security assessment to understand where you fall. Cybersecurity experts recommend conducting an independent network security assessment [link] to understand your risks and how to avoid staying low hanging fruit from cybercrime. In order to call a network security assessment successful, your vulnerabilities and threats should be fully documented—with resolution plans.
- Analyze your gaps and identify next steps
Now that you have a deeper knowledge of your organizational security risks, an understanding of why they exist and implications for keeping gaps within your office, you need to move to finding ways to filling those gaps.
Work out which gaps cannot be overlooked and figure out how to go about closing them. Prioritization is key here—are there any issues that are easy to fix and would have big impact on your network security? For each of your issues, define (1) who needs to be involved, (2) the estimated time to resolution, (3) how much the fix will cost and (4) the cost of leaving the security gap the way it is (i.e., your risk of not doing anything) to help you identify what’s really most important.
- Get to work
Now that you have a clear understanding of your cybersecurity (Note: consider a free network security assessment as the path to getting your cybersecurity risks under control), you need to take action remediating your risks.
Create and document simple security processes. Train your team to be aware of how they fit into your security improvement. Define metrics to help understand where your security is working and when to change course if it isn’t improving. Identify time points to reach improvements and hold your team accountable to reaching them.
Worried about your cybersecurity? Not sure if you’re doing enough to keep your staff and client data secure? Consider a free network security assessment today.