The following is adapted from Fire Doesn’t Innovate.
The Internet is becoming increasingly dangerous for all Americans due to the activities of organized crime and foreign nation-states. The US government recognizes this rising threat. The government also understands that our country’s critical infrastructure depends on computers: electricity, natural gas, clean water, sewage, and more.
Since the federal government can’t be everywhere to protect all of this infrastructure or the private businesses that provide the services dependent on computers, they created a framework that anyone can use in order to be more prepared for cyberattacks.
The NIST Framework is an incredibly adaptive solution. It’s not prescriptive. Rather than tell people exactly what to do, the framework gives businesses the information needed to come up with cybersecurity plans tailored to their specific needs.
The framework is organized around five functions:
Let’s look at each of these five functions in more detail.
Identifying your assets and risks is foundational to executing the rest of the steps in the NIST Framework. If you’re overlooking any asset (i.e. customers’ credit card data) then you won’t know if you have the right protection and detective controls in place.
In 2009, the FTC accused CVS Pharmacy of not having any cybersecurity policies. For a pharmacy that oversees a lot of sensitive customer data, it was a harsh claim.
Surely, they had a structured, systematic, comprehensive process in place to protect that private data, right? No. Not only did they not have a comprehensive process, they didn’t have any process. It was off their radar completely. The FTC found that CVS was putting their customers’ health care at risk by not securing their sensitive data.
Another great example of this is the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which requires that anyone in possession of an electronic health care record protects that record according to HIPAA’s specifications.
However, many companies carry sensitive digital assets for which there are no external compliance regulations, such as payroll records and trade secrets.
Ironically, if you’re too focused on complying with outside regulators, you won’t be effective in protecting all of your digital assets. You will maintain only the bare minimum of compliance without identifying your less obvious risks and assets.
What you need is a comprehensive, prioritized inventory of all of your assets, where they are, who’s handling them, and who’s been granted access to them. If third parties have access to your sensitive digital assets, you need to make sure they’re exercising the same caution that you would in the processing and storing of that data.
Without identifying your assets, and the risks to them, you can’t protect them.
This step is based in the idea that after having identified your assets and your risks, you can now take action to prevent bad things from happening to them. You know which assets to protect, and this framework offers different ways you can do that.
You can implement access control so that people who are not authorized to access an asset are blocked from doing so. You can also educate people and train them on how to avoid common security risks, such as a phishing attack.
There are also techniques such as data encryption to prevent attackers from looking at your data even if they happen to come into possession of it.
Your goal is to have the correct processes in place and test to make sure they work. For example, if you’re backing up the data on your systems, you need to conduct a test to make sure that the data that you’ve backed up can, in fact, be restored.
In so many cases, companies have been doing data backups for years, only to find out the backup system doesn’t work when needed because it was never tested.
Detection is your ability to recognize when something bad has happened to your digital assets. It takes, on average, anywhere between one hundred to two hundred days for someone to know they’ve suffered a data breach. By that time, you may not be able to recover whatever has been lost, including your and your customers’ sensitive data.
Most executives don’t have a specific set of practices to help them detect cyberattacks. They often find out through a third party in one of three ways:
- Law enforcement contacts them unexpectedly. This usually happens when officials discover a stash of data while investigating a different crime.
- A customer or business partner calls them and says, “I trusted you with my sensitive data, but it was stolen. Now you have to pay for the repercussions.”
- A news reporter contacts them saying, “We learned that your company suffered a massive data breach, and we’ve prepared a story. We’re going to release it on the five o’clock news. Would you care to comment before the story goes live?”
Wise executives know when breaches happen within their organization without needing an outsider to tell them. A long detection time means law enforcement, customers, and media have a longer time frame to convict you in the court of public opinion. Moreover, the longer it takes for you to detect a breach, the costlier it becomes.
Perfect prevention of all cybersecurity breaches is no longer possible, which is why the Respond function is built into the NIST Framework. After you discover a breach, you want to contain the damage. Ensure you have a communications plan prepared and practiced. That includes which of your stakeholders you’ll inform and at what priority, and having a PR staffer to distribute press releases and handle media queries professionally.
Moreover, talk to a lawyer who can interpret the different statutes that apply to your situation, then you’ll notify law enforcement. The first time you call law enforcement should not be the moment your hair is on fire because of the recent data breach.
In fact, once you develop your cyber risk management game plan, you should be in contact with law enforcement before you need them to let them know what your plan is. This will not only make them more prepared when you do push the red panic button, but they will also give you the benefit of the doubt when you do.
Find competent people who have experience guiding an organization through a data breach response. Those are the people you should have on your team, whether you hire them or contract them (depending on your risk levels).
As an executive, there is no need to feel that you have to respond to a data breach alone. Quite the opposite. You won’t contain the damage of a data breach without a team of prepared professionals ready to respond and recover.
One of the best ways to build a response team is to buy a cyber resilience insurance policy that offers a data breach coach and on-demand response services, such as:
- Digital forensics
- Crisis communications
- Legal defense
- Data breach notification
Once you have successfully contained a cybersecurity incident and it is no longer causing damage to you or your stakeholders, your major focus shifts to recovery.
In general, you can begin recovery activities before you’ve mitigated the incident—there is some overlap—but it’s easier to think of these as distinct steps in the framework.
The goal of this phase is to make sure that you can return to normal operations as quickly and as securely as possible. That not only includes the operational aspects of your organization but also the public relations side. Once you have achieved some level of recovery, you can re-open your doors and declare that the incident has been handled.
This is why it is vital to be proactive about public relations in the Respond phase. Just because your doors are open doesn’t mean your customers will walk through them.
Your reputation is everything. The court of public opinion can put you out of business in a flash if you let it (search the web the story of law firm of Puckett & Faraj to see what I mean). If your customers do leave, getting them to return is a function of this phase. Working from your prepared crisis plan, explain to them in simple terms what has happened, how sorry you are, and what steps you’ve taken to ensure this won’t happen again in the future.
Kip Boyle is founder and CEO of Cyber Risk Opportunities, whose mission is to enable executives to become more proficient cyber risk managers. His customers have included the U.S. Federal Reserve Bank, Boeing, Visa, Intuit, Mitsubishi, DuPont, and many others. A cybersecurity expert since 1992, he was previously the director of wide area network security for the Air Force’s F-22 Raptor program and a senior consultant for Stanford Research Institute (SRI).