Not long ago I added another dimension to my role here at Invario. In addition to Founder and President, I am the Chief Information Security Officer (CISO). Appointing myself as CISO was the first step in Invario’s compliance with the NIST cybersecurity framework. Specifically, we decided to follow the 110 controls for data systems that make up NIST 800-171.
Jared Kohl, our VP of Operations, likes to say, “we need to eat our own cooking.” What he means is that Invario must use the same information technology solutions we sell to customers. This gives us an advantage when it comes to understanding the business benefits, or pain points, for other small businesses. Eating our own cooking dictates that Invario demonstrate cybersecurity compliance based on a trusted authority, just like our customers would. We chose the National Institute of Standards and Technology (NIST) cybersecurity framework as this authority.
Is the NIST Cybersecurity Framework Right for Your Small Business?
Small businesses that do not fall under any specific regulatory purview are often unsure which cybersecurity protections apply to them. Invario examined several cybersecurity frameworks before landing on NIST. Based on my experience, any company dealing with confidential or sensitive information can benefit from NIST 800-171 compliance. Sensitive information includes: Personal Information (PI/PII), Protected Health Information (PHI), Payment Card Information (PCI), Controlled Unclassified Information (CUI), and proprietary information.
NIST developed the 800-171 requirements to protect the confidentiality of CUI in non-federal organizations. But adhering to the NIST cybersecurity framework can help any small business safeguard sensitive information. NIST 800-171 offers specific guidelines that small and mid-sized businesses can clearly understand.
For organizations that provide services to federal or state agencies, NIST 800-171 compliance may be mandatory. In Fall 2020, the DoD will roll out a Cybersecurity Maturity Model Certification (CMMC) that requires companies to demonstrate compliance with the NIST cybersecurity framework. Failure to comply could result in the loss of valuable contracts.
Implement Cybersecurity Best Practices for Your Small Business
Every small business is unique, with varying amounts of data that they need to protect. For Invario, that means safeguarding valuable information about our customers’ IT infrastructure. Implementing the NIST-800 171 framework is essential for creating the policies and controls around keeping this data safe.
Following the NIST cybersecurity framework forced us to update some legacy configurations. We needed to do this in order to meet today’s stricter cybersecurity standards. Some tasks take a little bit longer, like logging in with 2FA instead of simply typing in a password. It’s worth it.
These types of decisions are why it’s so important that the CISO come from within your organization. Every small business needs a customized solution to manage their particular risks and implement controls specific to their systems.
Get Started With the NIST Cybersecurity Framework
Easy steps your small business can take to get started with the NIST cybersecurity framework:
1. Appoint Your Organization’s CISO
As the nature of the threat landscape has evolved, the role of the CISO has transitioned from purely technical to proactive and business focused. The CISO will ultimately make decisions regarding risk mitigation, financial obligations, and operating procedures that must stem from a business perspective rather than a technical expertise. In most small to mid-sized organizations we see the CISO as a role and not a full-time job.
2. Identify and Consolidate Sensitive Data
Identify and contain systems that house your organization’s sensitive information:
- Determine what information(data) you keep on your company’s storage devices. What would happen if it were to escape your control? This is your company’s risk. Likely a major breach could put your out of business for good. 60% of companies do not exist a year after a breach.
- Be sure to consider all of your data. Most of the cybersecurity regulations focus on protecting PII and the privacy of the consumer. This information is legally protected, but it may not be your company’s biggest risk. Just because you have identified all of your PII doesn’t mean the job is complete.
- Consolidate the data. Ideally into a single location. If you have data scattered across various servers, cloud services, thumb drives, and desktops the job of securing and locating data is much more difficult.
After you have consolidated your sensitive data, limit access only to those people who need it to do their job.
Consider 3rd Party Assistance
The average small or mid-sized business does not have the staff or experience necessary to handle compliance on their own. If your organization does not have employees with cyber security certifications on staff, look for an experienced partner to guide you through the process.
Contact an IT provider like Invario that’s experienced with helping small businesses implement the NIST cybersecurity framework. With the right help, you won’t regret gaining compliance and improving your data management and security!
Feedback
If you have questions about this article, or if there is an IT topic you would like to know more about please email me your suggestions.
Referral$
If you know of a company that would be interested in the services of Invario, please email me the company name along with the phone number and email for the person we should contact.
That is all you have to do! Upon completion of the onboarding of a new customer, Invario will pay the equivalent of one month of Invario service to that customer. Recipients that cannot or do not wish to receive a referral payment may elect to have the referral fee donated to a charity of their choice or put into a company entertainment fund.
Referral$
If you know of a company that would be interested in the services of Invario, please email me the company name along with the phone number and email for the person we should contact.
That is all you have to do! Upon completion of the onboarding of a new customer, Invario will pay the equivalent of one month of Invario service to that customer. Recipients that cannot or do not wish to receive a referral payment may elect to have the referral fee donated to a charity of their choice or put into a company entertainment fund.