As someone in the business of security, you may have heard of the NIST Cybersecurity
Framework, developed by the US Commerce Department''s National Institute of Standards and Technology (NIST). It was initiated by way of an Executive Order from US President Barack Obama in response to the government''s
growing concern of over cybersecurity and the threat it poses to national and economic security1.
This most probably came on the back of comments from people like the US Director of National Intelligence who ranks cybercrime as the top national
security threat, higher than that of terrorism, espionage and weapons of mass destruction2.
This is backed up by the numbers – according to PriceWaterhouseCoopers (PwC) in their most recent State of Cybercrimes survey, over three quarters of US companies
detected a security breach in the past 12 months, and more than a third said the number of security incidents detected had increased over the
PwC also found that the average number of security incidents detected in 2013 was 135 per organisation, which is more than 2.5 incidents per week.
And this does not account for incidents that go undetected – in 2013 the FBI notified 3,000 US companies that they had been victim of cyber
intrusions. This is quite alarming. Three thousand companies needed the FBI to tell them their systems had been compromised.
It was due to this increased threat of cyber attacks taking place against US businesses and government departments, that President Obama instructed
NIST to collaborate with government and private businesses to develop a framework for reducing the risks to critical infrastructure from cyber
After a year in development, this framework was released in 2014 and contained standards, guidelines and practices to help government agencies and
private business reduce cyber risks to their critical infrastructure – perfect for organizations who are looking to beef up their security to
protect valuable information.
In the State of Cybercrimes report, PwC explains that whilst it is a voluntary framework, it defines standardized cybersecurity activities, desired
outcomes, and applicable references that constitute sound cybersecurity. As per NIST, the prioritized, flexible, repeatable, and cost-effective
approach of the framework will help owners and operators of critical infrastructure to manage cybersecurity-related risk.
At the core of the framework are five key functions that should be continuously monitored and improved upon:
1. Identify: Understanding the risks to systems, assets, data, and their capabilities – and knowing how to manage them.
2. Protect: Implementing suitable safeguards to protect your assets and deter security threats.
3. Detect: Continuous monitoring for proactive and real-time alerts of potential threats.
4. Respond: Suitable policies and activities in place for prompt responses to security incidents.
5. Recover: Implementing a continuity plan to preserve flexibility and recover system capabilities after a breach.
The vast majority of respondents from more than 500 executives of US businesses, law enforcement services and government agencies fell well short
of these guidelines in PwC''s survey.
With concern about cyber threats within both public and private sectors at an all-time high, PwC was shocked to discover that organizations had
done little, if any, to invest in cybersecurity and align it with their overall business strategy.
It is vitally important that organizations invest in resources to identify and categorise their most valuable digital assets, and determine where
these are located across the system - and who has access to them.
Does your organization have a security framework in place? It is never too early to look at reviewing your policies. How does yours stack up
against the NIST Cybersecurity Framework?
1. [NIST Cybersecurity Framework]
2. [Director of National
Intelligence, Worldwide Threat Assessment of the US Intelligence Committee, January, 2014]
3. [PwC: ''US cybercrime: Rising risks, reduced readiness. Key findings from the 2014 US State of Cybercrime Survey.'' June