by Chris Foster
Cybersecurity and the C-Suite
Compared to other employees, C-Level executives are 12 times more likely—and executives six times more likely—to be the target of a social engineering phishing campaign, according to Verizon’s 2019 Data Breach Investigations Report (DBIR). This is especially concerning as executives have access to critical business systems and processes within the organization. If that executive is compromised, everything they have access to may be open to compromise as well. How can an organization mitigate these cybersecurity risks to their executive staff?
The United States National Institute of Standards and Technologies (NIST) Cybersecurity Framework is a cybersecurity-focused operational framework that can be used to ensure the proper policies, processes and procedures are developed, implemented and operationally maintained. The framework was produced in response to the February 2013 Presidential Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” It was created with extensive input from both public and private sector organizations to manage cybersecurity-related risks to systems identified as “critical infrastructure systems” by the US government. However, it can be used by organizations in any sector, as it is intended to be useful to private sector businesses, government agencies and not-for-profit organizations, regardless of their focus or size.
NIST Cybersecurity Framework Core
The NIST Cybersecurity Framework is a risk-based approach to managing cybersecurity threats and comprises three parts: the Core, Implementation Tiers and Profiles. The Framework Core is a set of activities and outcomes that are designed to be intuitive and allow for communication between both technical and non-technical teams. The Core includes five functions, each of which reduces cybersecurity risk to the business:
Identify: This function provides activities that can help an organization better understand their systems, people, assets, data and capabilities. The Identify function is critical as it is impossible to develop an effective cybersecurity strategy without first identifying business-critical systems, processes and assets, and a detailed understanding of how they are interconnected and interoperate to support the business. Outcome categories of the Identify function can include asset management, governance, risk assessment, business impact assessments and risk management strategies.
Protect: This function develops and implements the appropriate safeguards to ensure critical IT services operate in a manner that will provide confidentiality, integrity and availability of these systems, as well as the applications and data they provide. The Protect function activities can limit or help contain the damage that is incurred by a cybersecurity event. Outcomes of the Protect function can include plans which address the following: device configuration management to include the enforcement of secure configurations; patch management; identity management and role-based access control to include least privilege; data security; system audits; and malware endpoint protection.
Detect: This function develops and implements the appropriate systems, processes and procedures to detect, identify and alert on the occurrence of a cybersecurity event in a timely fashion. The Detect function is important as it will provide timely notification that a cyberattack is underway, allowing for a faster response and containment of the attack. This can greatly reduce the damage that is inflicted by a cyberattack as it can stop it before it affects other systems. Outcomes of the Detect function can include: continuous monitoring for anomalies and events (which can include intrusion detection and security information) and event management (SIEM) systems.
Respond: This function develops and implements the appropriate steps to take when a cybersecurity event is detected. The Respond function includes the ability to manage and contain different types of cybersecurity incidents to prevent them from spreading. Outcomes of the Respond function can include business continuity planning, cyberattack incident response, disaster recovery planning, stakeholder communications, and threat analysis and cyberattack mitigation activities.
Recover: This function develops and implements activities to maintain plans for IT service resiliency and to recover and restore any IT-related capability or service that was affected by a cybersecurity incident. Outcomes of the Recover function can include business continuity planning and disaster recovery planning.
The Framework and Executive Impact
How the different functions of the Framework Core are implemented depends on the specific parameters and requirements of the business. Some factors include risk tolerance, how executives access and consume IT services, and the high risk/high impact systems, processes and procedures of the business. Once identified, the framework will provide guidance as to how to reduce cybersecurity-related risks to these assets.
Obviously, executives are valuable assets to an organization and as a result are highly targeted by cybercriminals. While many organizations initially deploy a cybersecurity framework to protect high-value assets—including mission critical systems and executive leaders—it can also provide protections for other systems and personnel across the entire organization. A framework can put additional protections in place which can be used not only to reduce the risk to the business from existing cyberattack vectors, but also to afford protections against new ones as they emerge.
A Cybersecurity Framework for your Organization
Whether using the NIST approach or a different cybersecurity framework (CSF), it is important to develop and implement a framework to mitigate cyber-related risks to the business. A CSF will ensure business-critical systems are identified and the proper policies and plans are developed to protect these systems. It will provide a cybersecurity strategy that affords both defensive and offensive protections against attacks. A CSF offers a game plan for how to proactively defend against cyber threats and provides a documented incident response to follow when a security event occurs.
The incident response includes: who needs to be contacted when a cyberattack has been identified; steps to stop or contain an active attack; contact information for stakeholder engagement; activation of disaster recovery plans; activation of business continuity plans; and how to engage third-party vendors for support or required regulatory reporting of the incident. Without a CSF in place, the business is exposed to a heightened amount of risk as there is no defined, documented procedural way to qualify or quantify the businesses capability to prepare for, defend against and respond to cyberattacks.
Without a CSF in place, research has shown that attacks are not contained or stopped as quickly, which can lead to increased data and/or services compromise. That can cause financial and reputational damage to a business through increased regulatory fines, loss of brand reputation, stolen intellectual property, stolen customer data, compromised systems, and an overall reduction of its competitive advantage. With a CSF, the businesses security and IT teams are aware of current and emerging threats and will have guidance on how to remediate or mitigate these threats as they occur.
iVision Fills the Gaps
iVision is passionate about ensuring that our clients are protected against all cybersecurity threats. We believe that the successful implementation of a CSF directly supports the advancement of an organization’s security posture and reduces their exposure and risk. We offer a variety of services to support our clients in their framework efforts. That might include providing a holistic review of an existing CSF, validating that policy and controls exist and are supporting their business goals, providing targeted steps to manage a staged implementation of a CSF, and designing and implementing secondary technical solutions.