The best way to protect your business from a cyberattack is to implement a strong cyber security plan for your small business to help with clarity and effective planning. There are several cyber security frameworks around, but our recommended small business cyber security plan is the NIST cyber security framework. NIST can look complex, and many small businesses think it’s overkill for their organisation. However, every business can take something from it and improve their all-important cyber security.
In this post, we’re looking at what the NIST cyber security framework is and how you can implement it as a cyber security plan for your small business.
What Is the NIST Cyber Security Framework?
The NIST cyber security framework was drafted by the National Institute of Standards and Technology (NIST) in 2014 under the Barack Obama administration. Its guidance is used by many government agencies in America, as well as many large businesses. When it comes to small businesses, we use it to help our clients put a small business cyber security plan in place, along with tools and processes to prevent a cyberattack.
The NIST cyber security framework is split into fine functions:
The NIST cyber security framework also includes ‘implementation tiers’, from Tier 1 to Tier 4. The simplest way to look at these tiers is a little bit like a score for each function; at Tier 1, your business hasn’t really done anything, but at Tier 4, you’re doing well.
The idea is that you have strategies in each function to be able to set up your small business’s cyber security plan.
Let’s take a look at each function individually.
The first part of this cyber security plan for small businesses requires your business to develop a better understanding of all of the systems that make up the critical infrastructure of your business.
We’re asking which assets and processes in your business need protecting, because you can’t protect something if you aren’t aware it exists. This function means that no important business assets fall off the radar.
One of the activities you do in the identify stage is asset management. List all of the hardware you use in your business, including computers, servers, firewalls, printers, mobile phones, and any smart devices. Additionally, what software are you using that is essential to your business? What cloud services are you using?
Once you know every element of your infrastructure, you will be in a much better position to spot any potential risks. Then, you can go deeper still and focus on risk assessment.
So you know all of the systems you use, and you have identified everything in your business that could be a cyber security risk. Now we move onto the next function in your small business’s cyber security plan – how to protect your business.
In the protect function, we’re looking at what tools and processes you have in place to protect your business and the assets you identified in the first stage against a cyberattack.
For example, you might have identified that Microsoft 365 is a critical system in your business. While using that system, you could become a victim of a phishing attack. To protect against this, we can look at ways to protect our business with cyber awareness training and implementing multi-factor authentication on the Microsoft 365 system.
Another example is a recent real-world example we had with a customer. When we audited their systems (the identify stage), we identified a computer with Windows 7 installed. They were aware of this but needed to run an application that only worked with Windows 7. This wasn’t ideal, so we had to remove that computer from the network to protect their business.
So far, you have identified your infrastructure, completed a risk assessment and put strategies in place to protect your business. Many IT companies will stop there, but there are three more steps in the NIST framework that every small business should be using.
Our next function is to detect, where we see what your business has in place to bring your attention to any problems. When we think of the detect stage, it’s a good analogy to compare it to your house. What tools do you have in your house to alert you to any threats? For example, you might have an intruder alarm, a smoke alarm, or a video doorbell, each of which will register a potential danger and inform you. It’s the same when it comes to your business IT.
The detect function is incredibly important. The faster your business can detect a cyber security incident, the better – a delayed response could make a small problem become catastrophic.
Does your business have any security monitoring in place (either internally or by using an external security provider)? Is anyone monitoring any anomalies? If an important cyber security threat could be easily overlooked, it’s time to upgrade.
The next function is respond. Does your small business’s cyber security plan cover how to respond to a cyber security incident?
In this function, we’re looking at tools to analyse the breach, contain the damage and carry out a response plan.
Firstly, you should identify who needs to be made aware. For example, you might need to notify the business director(s) or any affected customers and partners. Then you should analyse what has happened and how the incident occurred. This could be a technology failing – perhaps some software lacked a security patch – or a result of human error.
The final function in the NIST framework is called recover. This is an important final step in a cyber security plan for small business.
Of course, the best way to recover from a cyberattack is not to have one, but businesses can’t afford to work from the best-case scenario. You must have a plan in place to recover.
According to the NIST framework, the recover function is to ‘restore any capabilities or services that were impaired due to the cyber security event’.
The most obvious example in the recover stage is recovering from a ransomware attack. Your business data has been encrypted and can’t be accessed, so you need to restore all your systems from backup. The backup would be a key process in the recover stage.
But the recover function isn’t just about recovering technology. You should be looking at ways that your business can improve its cyber security posture – this has happened, let’s make sure it doesn’t happen again.
Also, it’s good to communicate with staff, customers, and partners at this stage. Don’t brush it under the carpet. You should be honest about what has happened and what data has been compromised.
The NIST cyber framework can look quite complex on first viewing, but it is a great cyber security plan for small business and large corporations alike. If your IT support provider commits to the NIST framework, your business will be much less likely to suffer from a cyberattack, and that can only be a good thing.
Lots of IT companies start and finish at the protect stage. But without the other functions, your business is vulnerable to a cyberattack. If you’re interested in changing your IT provider or if you would like an independent cyber security consultation, please contact us at Integral IT today.