Why The “Protect” Function Is Critical In The NIST Cybersecurity Framework
The National Institute of Standards and Technology works to ensure economic stability and was formed in 1901.
Over the last decade, they have been producing and refining two versions of their Cybersecurity Framework to give the business community a set of standards and practices that they can use to effectively protect themselves from cyber attacks.
Recently, the second version of this document has been released.
It puts forth revised guidance enabling small and medium-sized businesses to not only secure their data more effectively but also create a uniform set of practices that make the answers to important questions applicable across business models and industries.
In recent posts, we have been going over the importance, value, and utility of the various functions of the 2.0 Framework.
Here we will focus on the “Protect” function.
We will cover outcomes that can be expected of it, the connection to other important Framework functions, ways you can make use of it, and more.
NIST Cybersecurity Framework Protect For Small Business
The Protect Function
NIST describes the Protect function as follows;
“The Protect Function provides safeguards to ensure the delivery of key infrastructure services. It supports the ability to limit and contain the potential hams of a successful cybersecurity attack.”
Key Outcomes Expected From The”Protect” Function
There is one goal of all cybersecurity processes and that is to protect sensitive data.
The Framework achieves this in five key ways, each with certain expected types of results.
The results you can expect from the
Protect functions alone are only limited by the number of business models and industries it can serve.
Here are a few examples:
- Inter-organizational Access Control and Identity Management including direct and remote access.
- Equipping employees with the necessary training to maintain a data-protective stance regarding access and permissions.
- The establishment of consistent data security by a well-written and implemented risk strategy custom fit your organization.
- The implementation of processes and procedures to consistently safeguard assets and systems.
- Safeguarding business resources through the planned and guided maintenance of said processes and procedures.
- The management of protective hardware and software to establish resilient integrity of mission-critical assets.
As stated, these discrete expectations of the Protect function are only those that can be predicted across the known spectrum of scenarios and use cases.
The actual number of positive outcomes is likely to be much greater than this, especially when the Protect function is properly integrated with the four other functions of the Framework.
The Connection Between “Identify” And “Protect” In NIST
Understanding any protective stance, we would do well to look at psychological definitions of vigilance.
Consider a missile defense system, for example.
In refining such a system, adjusting the sensitivity level is critical.
If the system executes a defensive action when it detects a bee, it’s too sensitive.
If it only responds after a full barrage is incoming, that’s not good enough.
Within the NIST Framework 2.0, adjusting the Protect function is done largely by interlocking policies and functions with the other functions.
In particular, the Protect function works most closely with the Identify function.
Hence the vigilance analogy.
Because of the nature of any system of protection, it must work closely with the Identify function.
Without Identification, any effort to protect will fail and without the ability to protect, identification is only academic.
Therefore, these two functions must be thoroughly connected within any implementation of the Framework.
Fortunately, NIST provides extensive and explicit guidance on how small and medium-sized businesses can integrate these two functions.
Further support must be ongoing and is also available from high-quality vendors in the industry.
For a start, the first recommendation is to place precedence on the Identify function.
After all, any entity needs to “see” before it can be expected to respond appropriately.
Looking at these two functions this way, we might say the Identify function is administrative, while the Protect function is executive.
Practical Measures To “Protect” Your Assets: NIST Guidelines
NIST provides robust guidance for each of the Framework’s functions.
For the Protect functions, some recommendations are universal and some are contingent on your risk profile.
Here are a few of the universal ones.
Keep Assets Updated and Patched
Because cybersecurity threats are ever-changing and constant, your software needs regular patching.
Coding that serves as a feature one day, can be a vulnerability the next.
Professional development teams are there to keep the products they sell relevant by constantly working to patch them.
These services are almost always free.
So there is no reason not to take advantage of them.
Curate Data Storage Carefully, Removing Unneeded Material
Data that is stored within a system that can access the internet should include only that which you cannot deliver value and make money without.
Everything else should be deleted or stored offline.
Why increase the size of your vulnerability with data you don’t require?
Test Your Emergency Response Plan
Once you have a strong emergency response plan in place, test it.
There is no other way to know that it will work.
Develop Cybersecurity Awareness Among Your Workforce
Your workforce needs to know how to respond to social engineering and other soft hack attempts.
They should be trained in how to exercise vigilance, knowing that vigilance is required.
Report Social Engineering Attempts/Incidences Promptly
Not all social engineering attacks can be stopped with reasonable expectation.
Therefore, an important part of your policy of vigilance is that each such attempt and suspected attempt is reported at the earliest possible time.
Use Multi-Factor Authentication
Finally, use multiple passwords and multi-factor authentication checks.
A good hacker or piece of malware can muscle its way through a single-factor barrier, but successfully beating two by force is very unlikely, and three is next to impossible.
Of course, these are not the only policies/measures you should put in place to protect your business.
The exact Protect-function practices you should put in place will depend on multiple factors.
Professional consultation may be necessary.
The Role Of Employees In Safeguarding Small Business Assets
For years now, cybersecurity thought leaders have been admonishing SMBs to guard against social engineering attacks by creating an internal culture of data security.
This point bears repeating because social engineering attacks are the easiest to forget about, especially for personnel whose daily roles apparently have little to do with it.
The most common target individuals will be anyone in a liaison position.
Anyone who sits at a public-facing desk, answers phones, takes messages, responds to emails, and so on fits this description.
Of course, many employees may find themselves taking on such a role, even momentarily.
This can make it tough to train staff effectively.
This is why data security, especially regarding social engineering hacks, must be done across your entire organization.
All employees must be trained to guard not only authentication codes but also the personal information of authorized personnel.
Guarding against social engineering attacks may be the only thing all of your employees must learn about data security.
But anyone who operates an internet-connected computer also needs general data security training.
Further, employees must know that sound data security practices are not just encouraged, but required.
Ongoing Maintenance: NIST’s Recommendations For Sustaining Protection
Perhaps one of the biggest vulnerabilities any business faces is the boom-and-bust nature of the enthusiasm behind implementing new programs.
The unfortunate fact is that we tend to get inspired to put new programs in place.
We hold seminars, listen to speakers, network, and take lots of notes.
But as the enthusiasm fades, so do the teeth in our new policies.
But hackers will still be there, ready to pounce when we stop being vigilant.
This means our policies, practices, and risk profiles need regular review and revising.
NIST has a litany of recommendations for sustaining protection, and vigilance is chief among them.
For this, you may need a dedicated data security maintenance IT crew.
Monitoring And Adjusting Your Small Business Cybersecurity Strategy
Just as any good business plan should be revised in response to market changes, so too should your cybersecurity strategy change with the times.
This requires regular monitoring, collaboration, and revision.
To do this effectively, the Protect function must be meaningfully married to the Identify function.
Likewise, it must also be well integrated with the Detect function.
According to NIST,
“The Detect Function defines activities to identify cybersecurity events. It enables discovery of cybersecurity events.”
Not to be confused with the Identify function, the detect function is less about scanning the horizon and more about honing in directly on threatening events.
Once these have been responded to, debriefing and strategy revision can begin.
Small Business-Specific Considerations For Cybersecurity Protection
One of the most exciting things about the 2.0 Framework is the fact that it is optimized for SMBs.
Here are some useful tips that the Framework describes and alludes to:
- Prohibit Personal Apps and Non-Business Sites Network Access Outsource Critical IT Systems
- Use a Password Manager and MFA
- Educate Your Team On Social Engineering and Phishing
- Remove Unused Accounts and Services
- Update Security Software Regularly
- Form Data Security Partnerships With Other Small Businesses
Again, this is just a small sample of the guidance the Framework provides.
Conclusion: The Importance Of “Protect” In Your Cybersecurity Strategy
It stands to reason that many consider the Protect Function to not only be central to the NIST Framework, but to cybersecurity itself.
For this reason, many organizations begin with the Protect function.
This is fine, as long as you don’t stop there.