Hello and welcome to Think Cyber Secure! Firstly, I want to say thank you reading. I know how valuable your time is, so thank you for choosing to spend some if it with us.
Don’t want to read this post? Listen to the podcast instead:
We talk to many people who see the news headlines and want to improve their businesses’ cybersecurity.
However, they struggle with what to do and where to begin.
They see all the tools they can buy and the threats out there and wonder how it all fits together or feel that it’s too expensive. Often, this leads to choosing the “do nothing” option.
Though getting started and building a plan aren’t all that hard! Like anything, it just takes a little effort.
The best part? You don’t have to go it alone or guess at what you need to do. There are frameworks and guidelines out there that can help.
We like to use what’s called the NIST Cybersecurity Framework. It’s a set of guidelines created by the National Institute of Standards and Technology in the United States.
You don’t need to be a huge company to start using resources such as the NIST Cybersecurity Framework. It’ll help your planning whether you’re a large company with an office and many employees or your business is just you in your basement.
We like to use it because it gives you an excellent guide and it’s easy to understand. It’s adjustable to fit how big or small your business is. It references common cybersecurity standards for if and when you’re ready to dive deeper. It’s also accessible – freely downloadable on their website.
We will touch on each of the seven steps the framework recommends for establishing a cybersecurity program in your business. As we go, you should start to see how a plan could develop from each step.
Step 1: Prioritize and scope
This first step is to identify what your business’s objectives and priorities are. Not just for cybersecurity but the business as a whole. These are used to make strategic decisions on the implementation of cybersecurity later on.
Next, decide on the scope. Do you want to work on your entire business’s cybersecurity, or only one division or business line?
Step 2: Orient.
Once you’ve defined scope, Start digging and researching the assets and systems that fit into that scope to refine it.
This research includes identifying any regulatory requirements, threats, and vulnerabilities.
Step 3: Create a current profile
After Steps 1 and 2, you can use the framework to determine your business’s current cybersecurity profile.
This is a fancy term for saying “where your business is currently at concerning cybersecurity.”
Step 4: Conduct a risk assessment
In the last step, we determined, essentially, how compliant your business is with the framework. However, while the framework is an excellent guide, it doesn’t cover every business’s nuances and unique threats.
A risk assessment comes in handy here to assess the actual cyber risk facing your business.
Generally, this is a step with which you’d hire someone proficient in risk assessments to help.
It can be a complicated process and does require many cybersecurity skills. It’s also easier for a 3rd party to be objective during the assessment, as the outcomes don’t impact them.
Step 5: Create a target profile
Using your risk assessment results, your business’s goals and objectives, and the framework, decide where you want to go or what target cybersecurity profile you want to achieve.
Step 6: Determine, Analyze and Prioritize Gaps
Compare your business’s current cybersecurity profile and the profile you want to achieve. Note each of the gaps, and prioritize them based on the risk and your business situation.
Step 7: Implement an action plan.
Finally, the last step is to create an action plan to close the gaps.
I hope that through those steps, you were able to see how you can use each of them to put together a cybersecurity action plan for the year.
What improvements do you have planned for your business’s cybersecurity this year?