Today’s headlines are full of cautionary tales of companies (and individuals for that matter) falling victim to cyber crime. Some incidents are very sophisticated; others not so much. Some companies are large; others are small. Some had prepared and defended, while others did very little. Some attacks were very targeted, while others were more akin to drag netting to see how many the criminals could snare. Many attacks were thwarted, but many were not.
The moral here is that anyone, from the big to the small, the prepared to the unprepared, the top-secret facility to the local mom and pop shop, can fall victim. So what is a small business, who doesn’t have a dedicated cybersecurity team, to do?
You probably don’t even know where to start.
Enter the cybersecurity framework.
Adopting a cybersecurity framework is a great place to start as it provides you with a foundation on which to improve your cybersecurity posture. Your framework won’t tell you how to improve, but it will give you insights into industry best practices that you can implement to protect yourself.
There are many different frameworks available such as ISO/IEC 27001, NIST Cybersecurity Framework, SOC 2, CIS, and NIST 800-171, to name a few.
Some companies, based on their specific industry, may be required to comply with a particular framework(s), such as CMMC/NIST SP 800-171 for Defense Contractors. Others seek to demonstrate their cybersecurity posture via recognition through formal voluntary conformance to schemes, such as ISO/IEC 27001. If your industry requires you meet a specific framework through a formal accreditation or certification process via a third-party audit or assessment, then this is a no-brainer.
But what if no one is forcing you to implement a framework? Adopt one anyway!
Frameworks aren’t only useful to those companies that MUST have them to do business. They are great for any company. You can adopt a framework purely to help protect yourself or your business, implementing those best practices that are within your company’s capacity to do so. When you are not compelled to do so by contractual or legal requirements, you can adopt as much or as little of the framework as you see fit.
Basically, in layman’s terms, a framework is simply a set of guidelines anyone can use to improve their cybersecurity posture.
Cybersecurity can be very technical and complex, but there are many simple things you can do today, and the frameworks can help you sort through the whole gambit. Things like access control, strong passwords, staff training (particularly on the dangers of phishing emails), personnel and physical protections, backup plans, and incident response plans (in the event of an attack) can be implemented with very little upfront cost or technical capabilities. An educated staff is one of the first places to start, and they could ultimately be the first (or last) line of defense in an attack. Of course, if you have the budget, implementing more robust security related software, tools, and managed services can really help you shore up your defenses.
Do yourself a favor… don’t wait. Pick a framework (any framework) and start implementing what you can. Sooner or later, you or someone at your company will come across a threat, and your prior preparations could indeed be the difference between averting a crisis or falling victim and losing some or all of your assets.
It’s not just for the big companies with national defense secrets. If your company makes money, you are a potential target. And every little bit that is implemented helps get you to a better security posture.
Looking for guidance on which framework might work best for you? Give us a call at DCS, and we can help point you in the right direction.