advertisement
Home
News
Sports
Suburban Business
Entertainment
Lifestyle
Opinion
Classifieds
Obituaries
Shopping
Newspaper Services
Business

Define cybersecurity before you can refine your efforts

Posted June 01, 2016 1:00 am
By Jeff Olejnik and and Paul Johnson, Wipfli LLP

The term cybersecurity is often broadly used to mean many things. Is it protecting your data against hackers? Is it ensuring smart password protection? Is it taking steps to reduce the risks to software, computers, and networks?

The answer is yes to all of the above. However, if your organization's definition of cybersecurity stops at any of these statements, then consider these sobering facts on how breaches commonly occur:

• 76 percent exploit weak or stolen credentials

• 52 percent use some form of hacking

• 40 percent incorporate malware

• 35 percent involve physical attacks

• 29 percent employ social tactics

• 13 percent involve privilege misuse

Threats

Threats and incidents occur at any corner or level of your organization, making the best definition of cybersecurity one that includes the comprehensive and multidisciplinary approach necessary for effectively securing data on every front. And the most constructive place to start is with the "framework."

The National Institute of Standards and Technology (NIST), released the Framework for Improving Critical Infrastructure Cybersecurity.

Voluntary and risk based, it provides a set of standards and best practices to help organizations, regardless of their size or degree of cybersecurity sophistication, to create, guide, assess, or improve their cybersecurity programs as well as the resilience of their critical infrastructures.

Much of the guidance comes in the section called the framework core, a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The core presents five key functions - identify, protect, detect, respond, and recover. Taken together, these core functions allow any organization to better understand the life cycle of its cybersecurity risk management and more effectively shape its cybersecurity program. And it provides the foundation for establishing a sound definition of what cybersecurity should include for your organization.

It's important to note that the framework does not replace an organization's risk management efforts or program; it merely complements. Some companies may leverage the framework to identify opportunities for strengthening their cybersecurity programs; others may use the framework as a reference for establishing new programs.

Five functions

The five core functions, as outlined, help organize basic cybersecurity activities at their highest level. Performed concurrently and continuously, they help create an operational culture to more effectively address dynamic risks. Here's how NIST defines each function:

• Identify. Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. These activities are foundational for the effective use of the framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

• Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The protect function supports the ability to limit or contain the impact of a potential cybersecurity event.

• Detect. Develop and implement the appropriate activities to not only identify the occurrence of a cybersecurity event, but also enable the timely discovery of such events.

• Respond. Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The function further supports the ability to contain the impact of a potential event.

• Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired because of a cybersecurity event. This includes the timely recovery to normal operations to reduce the impact from an event.

As you work to define cybersecurity for your organization, consider incorporating the framework. It can be a key part of your systematic process for identifying, assessing, and managing cybersecurity risk and will serve as a more comprehensive foundation for defining a program with real meaning and results.

• Jeff Olejnik, director of risk advisory services, and Paul Johnson, senior manager at Wipfli LLP with offices in Northbrook, Westchester and Tinley Park. Contact them at JOlejnik@wipfli.com or pjohnson@wipfli.com

This photo illustration shows hands typing on a computer keyboard on Wednesday Feb. 27,2013. Security threats aren't new and have long been part of online life. But the increased attention on them offers a good time to review ways you can protect yourself. (AP Photo/Damian Dovarganes)
0 Article Comments
Article Categories
Accounting Business
Article Comments
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the "flag" link in the lower-right corner of the comment box. To find our more, read our FAQ.
Back To Top
About Us
Staff
Quick Links
Advertising
Services
Copyright © 2024 Paddock Publications, Inc., P.O. Box 280, Arlington Heights, IL 60006
Paddock Publications, Inc. is an Employee-Owned Company