For the first three weeks of the International Cyber Security Awareness Month campaign I focused on security tips “for the people”.
For the remainder of this month I am switching tracks to help build up awareness on what cyber security look for the small and medium enterprise sector.
Several industry-led security guidelines and standards have been developed over the years to help businesses manage the risk of cyber threats. Popular frameworks such as ISO 27000, NIST Cyber Security Framework (CSF) and CIS Critical Security Controls, define a set of technical and procedural security controls which every business should implement. The idea with these frameworks is that if implemented properly and consistently across the enterprise, the organization will be in much better position to prevent, detect and respond to cyber threats. Additionally, following a framework and even better yet being audited against one, will enable a company to communicate to their customers and partners that they follow industry leading practices and take cyber security seriously.
However, industry leading frameworks such as ISO 27000 and NIST Cyber Security Framework (CSF) are massive, complex and are focused on mitigating cyber threats in large enterprise IT environment. Small to medium enterprises and smaller public sector entities are typically left in the dust when it comes to finding a framework that works for their business. This is because enterprise grade frameworks:
Expect enterprise grade budgets
Are written in absolutist terms, rather than priority based
Are a little stale, not reflecting the reality of how modern businesses consume IT such as Cloud services
WHY You Need a Cyber Security Framework?
Big enterprises use security frameworks because A) their risk management policy tells them to B) their clients expect them to, but most important C) frameworks provide consistency and standardization in massive hyper complex IT environments. However, those complexities seldom exist in the small and medium enterprise space, so why should the SME space align to an enterprise standard.
I think the first thing to do is understand the “why” a company needs to follow a standard in the first place. As discussed above security frameworks:
Are leading practices as defined by the cyber security industry
Provides a definitive list of things a business can do to lower cyber risk
Recognition by third parties
To address the first point, these frameworks define industry leading practice to address known cyber threats. Though I do have concerns with their agility when it comes to aligning to modern day IT, most of the security dogmas within these frameworks hold true regardless of whether you are in the data centre or in the Cloud. Following a security standard is not a panecea, certainly “compliant” companies have been and will be breached, but rather the intent of following a security framework is to set a foundation controls and culture to avoid falling victim by the preventable “dumb stuff”.
Second, many times businesses know cyber security is important but they do not know where to start. As I have mentioned in other writings, the wrong way to start your cyber security journey is through buying “stuff”. Certainly technology will play a key role in preventing, detecting and responding to cyber threats, but I do recommend defining a strategy (your “WHY”) and leveraging a security framework to define your “HOW”.
Last but definitely not least is that these frameworks are a common language between other businesses, regulators and customers. ISO 27000 for example is maintained by the International Standards Organization and as you can assume is an internationally recognized standard. This bodes well when it comes to businesses needing to articulate how they manage cyber risk to a future customer.
What Can Small and Medium Enterprises Do?
Many small and medium enterprises are waking up to the fact that cyber security is no longer a nice to have, but is mandatory. However there are a lot of businesses out there that still believe they are too small and cyber security is not important to them. Let’s change their minds:
Ransomware: Businesses that have not taken cyber security seriously will experience a ransomware attack that could put them out of business. Cyber criminals are targeting businesses with advanced malware that will encrypt all business data, making it unreadable until the company pays a ransom. Companies that have refused to pay end up losing all their data.
Privacy Laws: Almost every jurisdiction has or is developing privacy legislation and if a company collects personal identifiable information, they now have a legal obligation to protect that data. Failure to do so can result in substantial fines and substantial brand reputation damage.
Table Stakes: Larger businesses take cyber security seriously and are realizing that their supply chain exposes them to cyber risks. Companies are now expecting their B2B suppliers to support their cyber security and risk management requirements. Companies who do not take cyber security seriously are losing business to companies that do.
So, before a company should start looking at frameworks it is important to build awareness around what the business is trying to protect. The following are good discussion points to have with the business risk owners (CEO, CFO, etc):
What systems or Cloud services are critical to the business
What data is critical to the business
What risks are relevant to the business
What security controls exist
The first and second points focus around knowing about all the assets that keep the business running. This can range from servers to websites to Cloud based CRMs and customer data to business records to intellectual property. Knowing all the assets that keep the business functioning is the first step into understanding how to protect them better.
The third point revolves around understanding what threats could materialize and impact the business. Certainly a business that runs an online retail website is more exposed to cyber threats than one that does not and understanding the the risk exposure will help understand what adequate security controls look like. Every business is different and will have different tolerance to the amount of risk they are willing to accept.
The fourth point is about the existence of security controls that may or may not be adequately protecting the business. Likely a business already has some security controls in place and assessing their existence and their effectiveness will enable the business to better understand their exposure.
Establishing awareness around the problem will help the business define and prioritize a preliminary cyber security strategy (the “WHY”). This preliminary strategy will articulate why cyber security is important to the business and what the business plans on doing to mitigate the risk. Think of this as a charter for the business’ cyber security journey. Once the business has established “WHY” they need better security, the next big question is “HOW”.
Critical Security Controls Framework
We at Mirai Security are big fans of the Centre for Internet Security’s Critical Security Controls for Effective Cyber Defense (CSC), also known as the “Top 20”. The CSC is a decent middle ground framework compared to the more comprehensive and enterprise focused frameworks. The CSC provides a prioritized list of 20 technical security controls that if implemented appropriately can lead to up to an 80% reduction in risk exposure.
This is a popular framework for technical teams as it focuses on technology and not governance. However, we are strong believers that governance compliments technical controls and having one without the other is not ideal. To fill the gap of CSC, the team at Mirai Security, developed our own proprietary assessment framework that not only assess technical controls but also the people and process side of the equation. Our security posture assessment methodology have helped countless small and medium enterprises understand their cyber security “WHY” and defining their security roadmap “HOW”.
Updated fairly frequently and crowd sourced by the community
Not overly verbose and prioritized based on impact and value
Fairly prescriptive/low level allowing technical teams to jump right in
Stale, does not focus on modern IT consumption such as Cloud
Still does have controls that only enterprise would implement
The Defensible Security Framework
The Chief Information Security Officer (CISO) of The Government of British Columbia and his team at the Office of the Chief Information Officer (OCIO) have had a monumental task of “raising the cyber security water-level” within the vast public sector in British Columbia. While governments love frameworks, the OCIO team was challenged finding a framework that fit the requirement of helping small, typically under staffed public sector organizations do better at security. So, they developed the “Defensible Security Framework” to consolidate industry guidance into an easier to digest framework for public and even private sector organizations who need to “raise the water-level“.
The framework takes the good out of many other industry leading frameworks to ensure that small teams are not overwhelmed, but do cover all the cyber security bases. It leverage a “maturity capability model” of sorts that starts with foundational cyber security “hygiene” and then ascends further to compliance, risk based security and then world-class security.
Decent balance between technology, process and people
Has a staged approach to build awareness, gather information and then implement change
Focused on providing decision makers with a shopping list of projects
Defines level of effort for each control
More descriptive than prescriptive, you will still need to do more reading on how the controls should be implemented
Not overly technical and leaves a lot to interpretation
Very process oriented which for private sector may not be a priority
Not recognized outside of British Columbia
Federal Government’s CyberSecure Canada
The federal government has also stepped in to help small and medium enterprise cope with the reality of cyber threats by providing another standard to go by. This baseline framework is fairly new, so this is mostly an honourable mention, but this is what the government’s intentions are:
“CyberSecure Canada is a federal cyber certification program that aims to raise the cyber security baseline among Canadian SMEs, increase consumer confidence in the digital economy, promote international standardization and better position SMEs to compete globally.”
You can find out more about the program here: CyberSecure Canada, and have a look under the covers at the Baseline Controls for Small and Medium Organizations.
Has federal government backing
You (eventually) will be able to certify against it
Likely will (eventually) be a differentiator when doing business with the public sector
Has some decent descriptions of why
As much as they say “international standardization” it is not an international standard, that would be ISO
Most practitioners are not aware of it, nor trained to audit against it
Fairly high-level, this is not a recipe book for being secure
Immature and will be expensive to certify
There are ample cyber security frameworks available to standardize cyber risk management practices and measure effectiveness. As discussed many can be overkill for small and medium enterprise, which can and has challenged the SME space from knowing where to start. The above frameworks are great starts in helping the SMEs understand what industry leading security practices look like and what to implement first. However, considering most SMEs do not have unlimited budgets to implement cyber security, a pragmatic and prioritized strategy is essential to finding the appropriate balance between cost and risk reduction.
At Mirai Security, we translate the governance, risk management and compliance “WHY” with the Security Operations, Cloud and Application Security “HOW”. If cyber security is becoming more important to your business and you need guidance along your cyber security journey, we are here to help.