Typically, businesses that are victimized by cybercrime don’t immediately realize they’ve been attacked. They find out later. Victims might learn about the attack months later when, for example, outsiders bring concerns to the company’s attention.
The surreptitious nature of cyberattacks and the stigma that can come along with being victimized can mask the frequent and serious nature of threats to businesses and institutions.
About 160 people representing a cross-section of industries and service providers invested two days at a NIST Cyber Framework Training seminar recently in Sioux Falls. They recognize the significance of potential risks and their time was well spent.
They designed the seminar to help businesses in the Upper Midwest learn about a new federal framework available to help businesses improve the security of the nation’s critical infrastructure. The National Institute of Standards and Technology, commonly known as NIST, lead the efforts to develop the guidelines.
SDN is among the companies that have worked through the NIST Cybersecurity Framework to sharpen the company’s security policies and practices.
“The NIST Cybersecurity Framework is an excellent tool organizations can use to strengthen an existing cybersecurity program or create a program from scratch,” SDN CEO Mark Shlanta told people who attended the seminar. “The framework is voluntary, flexible, and scalable. It directs organizations to focus on risk management and challenges them to think critically about their unique operations, cybersecurity threats and vulnerabilities.”
Celia Paulsen, a researcher with NIST, was among the business and governmental experts who presented at the seminar. The key to good cybersecurity is knowing your business, she said. To figure out security priorities and the cost of protection, business leaders should know:
- How the business operates.
- What resources the business uses.
- Where its information is located.
- Who has access to the information and systems that the business uses.
- What to protect.
A good management-level policy should outline:
- What to protect.
- What security requirements will be enforced?
- Who is in charge of what?
- Training requirements.
Eric Pulse, director of risk advisory services and a principal with Eide Bailly, a regional consulting and CPA firm, said that developing a business culture that values security must start at the top of an organization.
All businesses should consider using the NIST Cyber Framework to build or improve their cybersecurity strategy, Pulse said. He especially likes that it’s flexible and not mandated.
“The voluntary nature really helps you think outside the box,” he said.
SDN has worked through the NIST Framework and encourages other companies to do the same.
Other agencies and organizations can also offer guidelines to help companies build a good cybersecurity strategy. Consider looking at the resources offered by:
- The U.S. Small Business Administration
- The U.S. Federal Communications Commission
- The U.S. Federal Trade Commission
- The U.S. Department of Homeland Security
In addition to having cybersecurity experts on staff who can assist businesses and organizations, SDN offers services such as Managed Router, Manager Firewall, and DDoS Protection to help companies mitigate risks.