Cyber Risk Assessment and the Cyber Security framework
It is not a matter of 'if', but rather of 'when', a business will be cyber attacked.
With the increase in cyber threats, the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce developed a Cyber Security framework to help businesses of all sizes to better understand, manage, and reduce their exposure to cyber security risk, and protect their devices, networks and data.
The framework provides best practices to help businesses focus their time and money on high priority, high impact threats.
The way to implement the framework, is for the business to regularly conduct a Cyber Risk Assessment; working through the five areas on the framework, namely, Identify, Protect, Detect, Respond, and Recover.
Firstly, in 'Identify', the business documents all their equipment, software, online services and data they use. Responsibilities and roles for employees, suppliers, and anyone else with access to sensitive data are defined, and the steps that should be taken to protect against a cyber attack and limit the damage when it occurs, are documented.
In 'Protect', technical measures such as software updates, regular backups, data encryption, controlling access to sensitive data and more, are taken and documented in the Cyber Risk Assessment. Regular cyber security employee awareness training such as this course you're taking right now forms part of 'Protect'.
In 'Detect', unauthorized access to devices, networks and data is monitored. Unusual activities on the network or by employees are investigated.
In 'Respond', the business documents their plan for when things go wrong. How will clients and employees be notified when their data may have been compromised? How will the business continue to operate when attacked? How will an attack be investigated and contained? As part of the Cyber Risk Assessment this plan needs to be tested on a regular basis.
Lastly, in 'Recover', after an attack has occurred, how will the business repair and restore equipment, software and recover data? How will clients and employees be kept informed of the business' response and recovery?