In today's digital age, organisations of all sizes face increasing cybersecurity threats. A best practice for all organisations to protect their assets and data is to leverage cybersecurity frameworks. I often get asked by organisations (especially SMBs) whether they should be adopting a cybersecurity framework and which one?
Understanding Cybersecurity Frameworks
Firstly, its important to understand what a cybersecurity framework is. A cybersecurity framework is a structured set of guidelines, policies, and procedures that an organisation can adopt to improve its cybersecurity posture. It provides a common language and approach to managing cybersecurity risks, helping organisations to identify vulnerabilities, prioritise threats, and implement effective security measures.
Think of it as a roadmap for cybersecurity. It outlines the steps an organisation needs to take to protect itself from cyber threats, such as:
Identifying assets: Understanding what needs to be protected, including data, systems, and networks.
Assessing risks: Evaluating the potential threats and vulnerabilities that could impact your organisation.
Implementing controls: Putting in place security measures to protect assets and mitigate risks.
Monitoring and detecting threats: Identifying and responding to potential cyberattacks.
Incident response: Having a plan in place to deal with security breaches.
Here in Australia, we have 2 main cybersecurity frameworks that most organisations adopt, whether they be a small business or something a little larger, and these frameworks are the NIST CSF (now version 2.0) and the Essential 8.
Adopting a cybersecurity framework, such as the NIST Cybersecurity Framework (CSF) or the Essential Eight, demonstrates a commitment to due diligence and governance, and helps to satisfy cyber insurance requirements, compliance requirements and industry standards.
Organisations can also demonstrate to stakeholders, regulators, and the public that they are taking appropriate steps to protect their assets, customer data, and mitigate cybersecurity risks, which in turn helps to build trust, enhance reputation, and improves overall business performance.
So which one is right for my organisation? Lets break down the differences.
NIST CSF vs. Essential Eight (E8)
Essential Eight
The E8 is based off 3 maturity levels and can apply to all organisations regardless of size, complexity and maturity. It does have a narrower focus, in that it is specifically designed to address the most critical cyber threats facing Australian organisations and outlines eight essential mitigation strategies that are considered most effective for reducing cyber risk.
It is very action-oriented, and provides clear, practical and actionable steps that organisations can take to implement the Essential Eight. It's also a good option for smaller organisations or those looking for a more targeted approach.
It compromises of the following areas:
Patch Management: Including regular patching of operating systems (windows, *nix, hypervisors etc), client-side Applications (Web browsers, adobe, office etc), identifying assets and regular vulnerability scanning.
MFA: Adopting MFA across all systems and applying to all accounts.
Least permission principles: Including restricting admin access / privileges, using dedicated sperate privileged accounts, restricting accounts from logging into privileged environments etc.
Application Control: Restricting what applications can be run on workstations (Application Whitelisting)
Restrict Microsoft Office macros: Disabling or restricting end-user abilities to run Office macros.
User Application Hardening: Disabling legacy web browsers, and restricting web technologies such as Java. Also blocking ads and restricting user abilities to change web browser behaviour / security controls.
Backups: Ensuring regular backups and Business Continuity (BCP) including regular testing of backups and restricting access to backups.
NIST CSF 2.0
Where the E8 has a narrow scope, the NIST CSF has a much broader scope, covering all aspects of cybersecurity, including identifying assets, protective controls, threat detection, incident response and recovering from attacks, while the Essential Eight is more focused on specific mitigation strategies. It's particularly well-suited for larger, more complex organisations.
At a high level it compromises of 5 main areas:
Govern
· Governance: Establishing policies, procedures, and roles and responsibilities related to cybersecurity.
· Risk Management: Implementing a risk management framework to identify, assess, and mitigate risks.
· Continuous Monitoring: Regularly reviewing and updating cybersecurity policies and procedures to ensure they remain effective.
· Compliance: Ensuring compliance with relevant laws, regulations, and industry standards.
· Supply Chain Risk Management: Manage cybersecurity risks associated with third-party suppliers and vendors.
Identify
Assets: Identifying and categorising critical assets, including hardware, software, data, and people.
Business Processes: The identification of improvement opportunities for the organization’s policies, plans, processes, procedures, and practices that support cybersecurity risk management to inform efforts under all six functions.
Risk Assessment: Evaluating the likelihood and impact of potential cyber threats.
Protect
Access Control: Implementing strong access controls to restrict unauthorised access like identity management and access control.
Data Security: Protecting sensitive data through encryption, data loss prevention, platform security and other measures.
Workload Security: Securing workloads and applications to prevent unauthorised access and data breaches.
Physical Security: Protect physical assets and infrastructure from unauthorized access.
Detect
Anomaly Detection: Monitoring networks and systems for unusual activity that may indicate a cyberattack.
Continuous Monitoring: Regularly assessing the security posture of the organisation.
Security Information and Event Management (SIEM): Collecting and analysing security-related events to identify threats.
Threat Hunting: Proactively search for threats that may have evaded detection by traditional monitoring methods.
Respond
Incident Response Planning: Develop a comprehensive incident response plan to guide actions during a cyber incident.
Incident Management: Coordinate the response to a cyber incident, including containment, eradication, recovery, and communication.
Forensics: Collect and analyse digital evidence to identify the cause of a cyber incident.
Coordination: Coordinating with relevant stakeholders, such as law enforcement, reporting bodies and cybersecurity experts.
Recover
Recovery Planning: Developing a plan to restore operations and data after a cyberattack.
Testing and Exercises: Regularly testing the incident response plan to ensure its effectiveness.
Lessons Learned: Identifying and addressing root causes of incidents to prevent future occurrences.
The CSF is also more flexible the E8 and can be adapted to fit the specific needs and resources of different organisations. It is also much more comprehensive than the E8 in that it provides a detailed roadmap for improving cybersecurity, including guidance on risk assessment, control implementation, and incident response.
Which one to choose?
The best framework for an organisation depends on its specific needs and resources. If an organization is looking for a comprehensive framework that covers all aspects of cybersecurity, NIST CSF 2.0 is a good choice. If an organisation is looking for a more focused approach that addresses the most critical cyber threats, or if you have a very basic cybersecurity maturity, the Essential Eight is a good option. Other factors to consider include;
Organisation size and complexity: Larger, more complex organizations may benefit from the comprehensive approach of the NIST CSF. Smaller organizations may find the Essential Eight more manageable.
Industry and regulatory requirements: Some industries, insurance or regulations may require specific cybersecurity controls or frameworks.
Existing security practices: If an organisation already has some security practices in place, it may be easier to align with the Essential Eight.
Budget and resource constraints: The Essential Eight is generally considered more cost-effective than the NIST CSF, as it focuses on the most critical threats.
Organisation's risk tolerance: Organisations with a high tolerance for risk may be able to get away with a more basic approach, while those with a low tolerance for risk may need a more comprehensive framework.
Cyber Insurance Coverage: These days, I see a lot of insurance companies now asking if organisations are in alignment with the E8 in their assessment questionnaires, and you may have requirements to align with particular standards to ensure your cyber insurance coverage. Also worth noting here that the U.S Government recognise NIST so some larger insurers (particularly US bases) may require CSF over the E8.
Combining Frameworks: A Powerful Approach
While the NIST CSF and E8 may seem like competing frameworks, many organisations find value in using both frameworks together. The Essential Eight can help identify the most critical risks, while the NIST CSF provides a detailed roadmap for mitigating those risks.
By combining the two frameworks, organisations can benefit from:
Enhanced focus: The Essential Eight helps prioritise efforts, ensuring that resources are allocated to the most pressing threats.
Comprehensive coverage: The NIST CSF provides a broader framework, ensuring that all aspects of cybersecurity are addressed.
Tailored approach: Organizations can adapt both frameworks to their specific needs and resources.
Common Misconceptions
There are a few common misconceptions when it comes to frameworks. Often people will say One framework is better than the other. Both NIST CSF and the E8 have their strengths. The best choice depends on an organisation's specific needs and circumstances.
Another common misconception is that Frameworks are only for large enterprises. Small and medium-sized businesses can also benefit from using cybersecurity frameworks, with the E8 well suited for smaller organisations.
Frameworks are static, a lot of organisations think that once a framework has been adopted then that’s that and they will stick with it. Cybersecurity frameworks need to be regularly reviewed and updated to address evolving threats.
Taking the Next Step
Choosing the right cybersecurity framework is an important decision. To get started, consider the following steps:
Assess your organization's needs: Determine your organisation's size, complexity, industry, risk appetite and organisational risk profile, as well as regulatory requirements.
Evaluate the frameworks: Research the NIST CSF and Essential Eight to understand their key features and benefits and which one is best suited to your organisation or business.
Consult with a cybersecurity expert: A professional can help you choose the best framework for your organisation and provide guidance on implementation.
By adopting a cybersecurity framework and following best practices, your organisation can significantly reduce its risk of cyberattacks and protect its valuable assets.
If you would like further information or assistance on cyber security frameworks, don’t hesitate to reach out!
Useful Resources:
Comments