Your Guide to the NIST Cybersecurity Framework | The State of Security
To put the impact of cybercrime into perspective, let’s examine some important, and startling, numbers:
Data breach costs increased from $3.86 million to $4.24 million in 2021.
Every 39 seconds, there is an attack.
About 90% of healthcare organizations have fallen victim to at least one breach within the past three years.
The bottom line? Cyberattacks are frequent and costly, and COVID-19 has only fueled the fire with more employers adopting a remote work structure. Reports of identity theft spiked during the pandemic and an overwhelming majority, specifically 90% of companies, faced an increase in cyberattacks.
In addition to hiring skilled professionals who possess a formal cybersecurity education, companies are turning toward proven tools and resources to protect their valued data and information.
One tool in particular is the NIST Cybersecurity Framework, which is a free resource developed and provided by the U.S. government. Let’s dive in.
What is the NIST Cybersecurity Framework?
The National Institute of Standards and Technology (NIST) describes the framework this way:
“The framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.”
It’s important to reiterate that this framework is not mandatory, though it’s certainly recommended since it’s based on well-researched information and best practices. Most importantly, it can be “customized by different sectors and individual organizations to best suit their risks, situations, and needs.”
NIST Framework Background & Development
Version 1.0 of the framework was issued in February 2014 and, according to NIST, “was developed in response to the Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity.”
Development was a collaborative effort between industry leaders, relevant stakeholders and experts in the private sector, and included workshops, community outreach activities and solicited feedback. NIST offers a detailed chart illustrating the evolution of the framework.
Examples of Companies & Organizations Using the Framework
The global impact of the NIST Cybersecurity Framework is far-reaching.
Even though NIST explains that the “primary stakeholders of the framework are U.S. private-sector owners and operators of critical infrastructure, its user base has grown to include communities and organizations across the globe.” The framework is also appropriate for all types and sizes of companies, including small businesses. This user base includes some of the largest organizations across all industries.
How to Get Started
It might seem like a lot of information, but NIST provides a breakdown of everything you need to know to get started. Here are a few important notes:
- The framework is organized into five important functions:
- Identify
- Protect
- Detect
- Respond
- Recover
“These five widely understood terms, when considered together, provide a comprehensive view of the lifecycle for managing cybersecurity over time.”
Consult NIST’s Quick Start Guide for more information and to see the activities listed under each section.
- Questions? NIST has compiled a list of Frequently Asked Questions, including:
- What critical infrastructure does the framework address?
- Would the framework have prevented recent highly publicized attacks?
- What is the difference between “using,” “adopting” and “implementing” the framework?
Does the NIST Cybersecurity Framework Actually Work?
The short answer is yes! In fact, there’s a catalog of success stories that further validates the framework. Businesses, higher education institutions and other organizations have successfully implemented the NIST Cybersecurity Framework in their own ways.
How Often Will the Framework Be Updated?
Cybercrime is constantly evolving, which means the framework will, too. NIST explains that the framework will be “refined, improved, and evolved over time to keep pace with technology and threat trends, integrate lessons learned, and establish best practice as common practice.”
In the end, it’s important to consult the right resources and employ the right skilled professionals to fight cybercrime. If you’re looking to strengthen the front lines of your cybersecurity team, the NIST Cybersecurity Framework is an important tool worth checking out. As we unfortunately know, cyber criminals do not discriminate when it comes to an attack, meaning that every business and organization in every industry is at risk.
Author Bio: Michelle Moore, Ph.D., is an academic directory and professor of practice for the University of San Diego’s innovative online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher and author with over two decades of private-sector and government experience as a cybersecurity expert.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.