In the children’s story, “The Three Little Pigs,” the Big Bad Wolf tried a frontal assault by blowing the first two pigs’ houses down. By the end of the story, the pigs had come together, and through the preparation and efforts of the third pig building a house of bricks, taken refuge in the brick house and withstood the Wolf’s attack. In today’s world with a global economy, e-commerce, and utilization of technology to do business, the Big Bad Wolf will not knock on the front door. Instead, the Big Bad Wolf sits at home in its den using a computer to hack the data network and steal customer information, back accounts, social security numbers, and money. A brick house in today’s business environment is a strong and robust cybersecurity program. From direct deposits and online shopping to phishing and identify theft, the benefits and risks from increasing reliance on electronics and technology add another lawyer of compliance that businesses, ownership, management, and industries must not only recognize but immediately integrate and sustain for continued success and survival. This is why cybersecurity programs are necessary and invaluable to any company’s success and survival.
Cybersecurity is no longer a concern for just financial institutions, government agencies, or multi-national conglomerates. Any business involved in utilizing technology and electronics to engage with its customers and enter the business marketplace is subject to attack. Every day thousands of companies big and small and in various market and industry sectors are besieged by cybercriminals. By being proactive, committed, and vested in cybersecurity, a company, regardless of size, market, or industry, can prepare, implement, and sustain best practices, policies, and procedures that will help it defend against cyberattacks. Although not exhaustive, and priorities can change dependent upon risk and exposure, three primary areas a company can start with are active monitoring and assessments, implementation of the U.S. Commerce Department’s National Institute of Standards and Technology (NIST) Cybersecurity (CS) Framework, and employee training.
While this article does not go into the breadth and depth of all elements necessary for a substantive program for addressing and managing cybersecurity risks, the first area that is extremely vital to a cybersecurity program involves monitoring and risk assessments. The success of any cybersecurity program can be determined by the risk assessments it performs on an ongoing and active basis. Monitoring and risk assessments are not limited to the most critical areas of a company, but, rather, risk assessments should be comprehensive, expansive, and utilized to identify and quantify risk in real-world settings and scenarios. A solid and strong cybersecurity program will have monitoring and risk assessments that involve and include all systems, sub-systems, devices, assets, and the workforce to determine what vulnerabilities are present. This tool is important for any business because it leads to the discovery and analysis of cybersecurity weaknesses. Further, through monitoring and risk assessments, an organization can evaluate and emphasize the potential consequences that it faces. This helps add an additional layer of mitigation and protection against a potential cybersecurity attack.
The second critical area for addressing cybersecurity is following and implementing the NIST CS Framework. The CS Framework is the result of a February 2013 Executive Order signed by President Obama titled “Improving Critical Infrastructure Cybersecurity,” as well as a near year-long effort of, and input from, thousands of security professionals from the public and private sectors. See Federal Register, Executive Order 13636—Improving Critical Infrastructure Cybersecurity, February 19, 2013 (EO 13636). The CS Framework comprises a risk-based compilation of guidelines that can help organizations, public and private, big and small, identify, implement and improve cybersecurity practices, and create a common language for internal and external communication of cybersecurity issues. As EO 13636 states, “[i]t is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyberenvironment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” Through the creation of the CS Framework, a set of industry standards and best practices has been created. However, these standards and practices are not static. The CS Framework is designed to evolve and adapt to the changes and developments in cybersecurity threats, technology, processes, and advances.
The CS Framework’s application to a business places a focus on the business to lead and guide cybersecurity activities and risks as part of that organization’s compliance practices and risk management processes. The CS Framework consists of three parts: (1) the CS Framework Core; (2) the CS Framework Profile, and; (3) the CS Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references common across critical infrastructure sectors, and provides detailed guidance for developing individual organizational Profiles. The use of the CS Framework Profiles helps a business align its cybersecurity activities with its business requirements, risk tolerances, and resources. The CS Framework Implementation Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk. Pursuant to EO 13636, a business’ CS Framework must include a methodology to protect individual privacy and civil liberties as part of its overall program.
Once the CS Framework is established, its core Functions are five-fold: (1) identify, (2) protect, (3) detect, (4) respond, and (5) report. These five functions establish what a CS Framework must be and should be doing and achieving. It is important to note, however, the five functions are not static; rather, these functions are the pathway to continued compliance, implementation of best practices, and achieving an ongoing culture focused on cybersecurity.
For any business, the ability to identify cybersecurity risks is imperative to proper and effective use of the CS Framework. It is necessary that an organization identify not only risks, but also its own business processes, market and industry changes, resources (e.g., economic, human capital, etc.), and organizational commitment (e.g., culture). The protect function mandates the development and implementation of the appropriate safeguards to ensure delivery of critical infrastructure services. By protecting itself, a business can have the ability to minimize, withstand, and contain the impact of potential cybersecurity attacks, breaches, and other cybercrimes. The detect function requires development and implementation of appropriate, and ongoing, processes, procedures, and internal controls that timely identify an event. The detect function is not simply about a major event, but rather, focus is given to anomalies, glitches, minor events, and significant breaches. The response function can mean the difference in millions of dollars of lost data, information, and assets, as well as the simple survival of the business. A company must develop and implement appropriate response procedures and protocols in order to address a cybersecurity event. The recover function requires the development and implementation of actions to maintain plans for continued operation and restoration of any services that may have been impaired, interrupted, or affected by a cybersecurity event. A proper recovery can achieve a return to normal operations as soon as possible, which includes not merely being functional, but returning to where the business was prior to the event. These five functions are the goals for an effective cybersecurity program.
Whether it is knowing what emails to open, websites to avoid, or appropriate documents to download, employees have to make daily and often time critical decisions that directly impact the company. As a result, employee training is crucial for a company to address and implement its cybersecurity program. While it is not an easy task, a delicate balance must be achieved between creating a secure environment and permitting employees a level of freedom and responsibility to perform their jobs. It is necessary to make sure employees understand their importance to an effective cybersecurity program, and the company’s overall security. Therefore, employees must know what to look for, how to respond, and how they stay aware of potential risks. Ongoing training can help keep employees on top of the types of threats that the company may be facing, and red flags they can look for throughout their day-to-day activities. It is important that training include all levels of an organization, including, but not limited to, ownership, executives, managers, employees, and agents or third-party representatives. All aspects of a company’s workforce (top to bottom) must participate in and continue in training.
With a consumer base more and more reliant upon technology to aide in its acquisition of goods or services, whether financial, retail, or industrial, it is incumbent that companies engaged in utilizing technology to interact with its customers, or simply conduct business, commit to implementing and sustaining cybersecurity policies, procedures, and best practices. Moreover, the necessity to address the constant threat of cyber liability from data breaches, identify theft, or other cybercrimes must be a top priority of any business, owner, executive, manager, and employee. Without an active cybersecurity program, the Big Bad Wolf will not have to huff and puff; it can simply push a button and blow your house down.