Cybersecurity is a growing concern for businesses of all sizes and industries—and for good reason. As cybersecurity threats and attacks increase each year and more businesses move into software, the trend isn’t likely to subside any time soon. Luckily, there are NIST recommendations to help protect your organization against cyber threats.
But before we dive deeper, here are some eye-opening cybersecurity facts to consider:
- The average cost of a data breach to a major organization is around $4 million—or $150 per record—according to a recent study by IBM and Ponemon.
- That same study uncovered the fact that around 44 percent of all enterprises have been hacked on at least 30 separate occasions in the past 12 months.
- On average, it takes financial companies over three months to detect a data breach, while it takes retailers over six months.
- Since 2005, over 10,000 data breaches have occurred, exposing over 1.6 billion consumer records.
Simply put, data breaches are terribly expensive for companies. And they also scare away current and potential customers. Believe it or not, breaches can even tarnish a business’s reputation for years to come.
And it’s not just large enterprises that get breached. Startups and small businesses suffer security incidents as well. Add it all up, and businesses must do everything in their power to protect themselves against a growing multitude of cyber threats.
The good news? Protecting yourself from cyber threats isn’t as hard as it sounds. There are excellent tools and best practice frameworks out there to help you uplevel your security. One such framework that’s worth a look is from the National Institute of Standards and Technology (NIST).
With this in mind, let’s take a look at an overview of the NIST’s best practices as they relate to businesses like yours.
What is NIST?
First things first: The NIST is a non-regulatory division of the U.S. Department of Commerce that was created in 1901. Back then, the NIST was formed to bolster U.S. competitiveness against the economic powerhouses of the time—such as Germany and the United Kingdom—that had much more advanced technological infrastructures.
Today, the NIST is one of the oldest physical science labs in the U.S. In fact, the organization provides standards of measurements that guide how nearly every type of innovative technology in the country operates. From medical health records and airplanes to global communication systems and skyscrapers, it’s nearly impossible to find a system with measurements that aren’t NIST-based.
Beyond that, NIST also sets forth the policies behind the Federal Information and Security Modernization Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA), and the Sarbanes-Oxley Act (SOX), among other things.
What is NIST compliance?
The NIST’s goal is to provide federal agencies and organizations that require strict data protocols with easy-to-use and cost-effective strategies for protecting their information systems and applications.
In 2013, in response to a growing threat of cybersecurity attacks, President Barack Obama ordered the NIST to develop a Cybersecurity Framework for the protection of the following key infrastructure systems:
- Commercial facilities
- Critical manufacturing
- Defense industrial base
- Emergency services
- Financial services
- Food and agriculture
- Government facilities
- Healthcare and public health
- Information technology
- Nuclear reactors
- Materials and waste
- Transportation systems
- Water and wastewater systems
Now, this policy is known as the widely accepted NIST Cyberframework (CSF). At its core, CSF consists of five essential functions that—when followed—ensure for systems-wide protection across an organization’s information systems and applications.
Up next, let’s examine these five functions:
Here, an organization begins to understand what kinds of cybersecurity risks can affect operations. Potential areas of risk include employees, data theft, network breaches, and more.
Once they identify risk, organizations need to figure out what they can do to prevent themselves from any of these kinds of attacks. That way, with proper protocols in place, they can ensure that applications operate as designed and services are delivered seamlessly. In the event an attack does occur, this function helps reduce its impact.
At this stage, organizations need to be able to detect cyberattacks to determine whether they’re taking place—ideally in a timely fashion.
How well is an organization positioned to respond to a cyberattack when it’s taking place? Here, organizations spell out what they need to do when a breach occurs and how well it can reduce the impact of an attack.
Once an attack is over, organizations need to move quickly to resolve any services or systems that have been affected. As a result, the delivery of critical services will only be impacted slightly, if even at all. At this stage, organizations need a plan for how they can restore order and reduce the likelihood a similar attack happens again.
NIST recommendations for FISMA compliance
To make your life easier, there are also NIST recommendations for agencies that must adhere to FISMA compliance. Those take the form of the following nine steps:
- Categorize the data that you need to protect
- Develop a minimum baseline of controls for protecting your data
- Regularly conduct risk-assessments to refine your baseline security controls
- Document these controls in a security plan
- Execute security controls in the appropriate information systems and applications
- Measure the effectiveness of your security controls once implemented
- Determine the agency-level risk based on your security control assessments
- Authorize the information system processing
- Monitor your security controls on a continuous basis
NIST recommendations for securing IoT devices
One of the greatest cybersecurity risks for organizations is the rapidly growing number of IoT devices being used by its employees and customers.
Believe it or not, since many of these IoT devices are provided by the employees themselves, it’s nearly impossible for a business to control the security of each device.
With this in mind, the NIST has laid out best practices for IoT manufacturers to follow—also known as the Core Baseline to Protecting IoT Devices. By adhering to these guidelines, IoT manufacturers can ensure that their customers are protected against cyberthreats beyond their control.
In the above report, the NIST recommends that IoT manufacturers equip each and every IoT device with the following features:
1. Device identification
This feature allows for IoT devices to be logically and physically identified and monitored.
2. Device configuration
Next, NIST recommends that IoT devices are configured so that only authorized entities can modify software and firmware.
3. Data protection
What’s more, each IoT device should have the capability to protect the data that it stores and transmits from unauthorized access.
4. Logical access to interfaces
Additionally, IoT devices should limit logical access to its local and network interfaces to authorized parties only.
5. Software and firmware updates
Further, only authorized parties are able to securely update an IoT device’s software and firmware—either locally or through a network download.
6. Cybersecurity event logging
Finally, an IoT device should have the ability to log cybersecurity incidents. Additionally, only authorized personnel should be able to access this report.
Following NIST cybersecurity best practices is essential for your business
In the age of breaches and malicious actors, it’s more important than ever for all businesses to take proactive steps when it comes to cybersecurity. No matter how big or small your company is, the last thing you want is to get hit by a breach.
Even if your business doesn’t require CIA-level data encryption or doesn’t operate in the U.S., you’d still be better off following NIST’s recommended cybersecurity framework. Across all industries, 70 percent of IT and security professionals support the NIST’s CSF, and for good reason: adhering to these standards drastically reduces the likelihood of a breach.
Security is a journey that requires constant attention. But you don’t have to do it alone. By keeping on top of great frameworks, tools, and learning from your security peers, you can continuously improve and strengthen your posture.
This post was written by Justin Reynolds. Justin is a freelance writer who enjoys telling stories about how technology, science, and creativity can help workers be more productive. In his spare time, he likes seeing or playing live music, hiking, and traveling.