Devising and implementing an effective cybersecurity strategy isn’t a one-and-done chore for businesses. Good cyber defense requires an ongoing commitment.
Working their way through federal guidelines would be a great start for many small and midsize businesses, but the work does not end there.
The continuing commitment required to maintain a good cyber defense was among the points that private cybersecurity experts stressed in a recent Department of Homeland Security webinar.
The 90-minute event focused largely on how businesses can use the NIST Cybersecurity Framework to develop a cyber defense strategy tailored to their operations. NIST is short for the National Institute of Standards and Technology. The federal agency led the development of guidelines, designed with business input, to help companies improve cyber risk management and protect the nation’s critical infrastructure.
Watch a replay of the free webinar here or at the bottom of the article.
Two experts from SDN Communications were among the four panelists who shared corporate experiences. Jake VanDewater, director of network operations, and Chris Aeilts, a sales engineer offered their suggestions to the national audience.
VanDewater and Aeilts recounted SDN’s experience in working through the NIST Cybersecurity Framework with help from CyberRx, a software tool that helps companies analyze and reduce risks.
“The Framework is good to use one time, but I think where it really comes into its own is when you take a year-after-year evaluation approach to be able to see your own progress as you continue,” Aeilts said.
Aeilts stressed that companies should work on the most important, high-impact issues first.
VanDewater suggested that companies establish a security committee to, for example, define areas of responsibility and accountability. He also emphasized the need for businesses to provide good, ongoing training to employees.
Speakers generally agreed that employees are a highly vulnerable, first line of defense for companies. The speakers also generally agreed that phishing is the most common threat to companies’ network security.
Phishing is when cyber thieves try to enter a company’s network fraudulently through means such as getting an employee to open a contaminated link in an email or by coaxing them to provide a password or other sensitive information. Employee training should be updated and held regularly.
Equipment should be kept up to date, of course. But human vulnerabilities generally present larger security concerns for business than mechanical failures.
Resource limitations hamper some businesses from deploying good security. Meantime, the fear of attack provides a strong incentive for businesses to act.
The NIST Framework generally is flexible enough to help businesses of various sizes and missions assess threats and minimize risks. But some businesses might benefit from outside help in working through the framework, experts said.
“The beauty of the (NIST) Framework is that it’s a framework,” said Richard Tracy, chief security officer and senior vice president of the Telos Corporation, a cybersecurity consulting business in the Washington, D.C. area. “You can use as much or as little as you like.”
Another speaker, Pete DiLorenzo, compared a business securing a network to an individual getting physically fit.
“It’s a lifestyle,” said DiLorenzo, director of systems and security for Shepherd Kaplan LLC, an investment advisory firm in Boston.
“Don’t worry about how you start or when you start, just start,” DiLorenzo said about working through security guidelines. “It’s going to take time.”
He also stressed the importance of businesses employing people who are dedicated and committed to the organization’s cybersecurity plan.
The webinar was part of DHS’s Critical Infrastructure Cyber Community (C3) Program. The program is among the good, national resources available to help businesses develop and improve their cybersecurity readiness.
(Editor's note: We apologize for the audio challenges and appreciate your understanding. It's been edited for time.)
SDN's NIST Cybersecurity Framework Training: Video Series