Security Frameworks 101: 7 Takeaways from our Global Security Summit
No matter the size of a business, having a security framework is crucial. Cybersecurity frameworks help managed service providers (MSPs) identify security gaps and areas of weakness, ensuring your client’s data is safe and secure.
There are many cybersecurity frameworks to choose from, including NIST, COBIT, CIS, Zero Trust, and more. Each framework has its own distinct characteristics to fit your clients’ unique needs.
MSPs joined a panel of Datto experts for our recent Security Summit 101 webinar, Security Frameworks 101: What You Need to Know to Stay Secure. The panel discussed how each framework fits different needs, and why having the right framework is crucial to preventing harmful data loss. Here are seven key topics and takeaways:
1. Cybersecurity
As remote working continues to increase, so does cybercrime. Cybercriminals have been devising more sophisticated attacks to aim at small businesses. Ransomware attacks can have devastating impacts on their victims. As with any business, time is money: On average it costs $8,000 per hour of downtime for small businesses to recover from a ransomware attack.
As an MSP, it is up to you to ensure your client’s data is secure, safe, and not vulnerable to ransomware attacks.
2. 7 Essential Cybersecurity Frameworks
Cybersecurity frameworks (CSFs) are critical for pushing strong policies and products. With over two dozen CSFs to choose from, this webinar focused on the seven leading frameworks:
CIS (Center for Internet Security)
CIS is a non-profit whose members collectively help to identify and refine effective security measures. The defense-in-depth model helps prevent and detect malware by having 18 CIS controls that are prioritized and designed to safeguard a cyberattack.
CMMC (Cyber Security Maturity Model Certification)
The CMMC framework was developed by the U.S. Department of Defense. It provides a model for contractors in the Defense Industrial Base to meet various security requirements. CMMC maps their controls to the NIST framework (below) and is broken down into three levels: Foundation, Advanced, and Expert.
NIST (National Institute of Standards and Technology)
The NIST cybersecurity framework is published by the U.S. National Institute of Standards and Technology, and is perhaps the leading CSF today. This framework provides a “high level taxonomy of cybersecurity outcomes and methodology to assess and manage those outcomes.” The NIST framework is organized by five functions: Identify, Protect, Detect, Respond, and Recover.
COBIT (Control Objectives for Information and Related IT)
COBIT is a popular framework created by ISACA, an international association focused on IT governance and used heavily throughout Europe. This framework is business focused and defines a set of generic processes for the management of IT, making COBIT good for large to mid-market organizations and enterprises.
Essential Eight
Essential Eight is a cybersecurity framework developed by the Australian Cyber Security Center. It comprises eight essential components designed to help organizations protect themselves against various cyberattacks. This framework leans heavily towards protecting Microsoft Windows-based internet-connected networks.
ISO 27001 (International Standards Organization)
ISO 27001 is an international standard for managing information security. Organizations that meet the standard’s requirements can be certified upon successful completion of an audit. ISO controls are comprehensive: They cover 144 controls in 14 groups and 35 control categories.
Zero Trust
Zero Trust is not technically a framework, but a model that continuously checks authenticity. The main concept of Zero Trust is “never trust, always verify”. Key principles of the Zero Trust model are: verify explicitly, use least privileged access, and assume you will be breached. This model has gained widespread popularity and adoption across many organizations including: Google, Microsoft, Cisco, CheckPoint and others.
3. Outlining Controls in a Framework (CIS)
The CIS controls are easy to approach and implement for an MSP just getting into security responsibilities. With the many options and technologies to choose from, CIS provides a roadmap on where to start and where to direct your efforts. Each control breaks down other frameworks in a map for clear interpretation. The CIS framework helps you understand your unique challenges, and provide you with a tactile map to secure you through the battlefield.
4. Keep Your Business Secure with Frameworks
Protecting data is essential to any business because cyber attacks cause costly downtime and a lengthy recovery period. No matter which framework you use, the bottom line is clear: Frameworks are critical to keep your client’s data secure. They give MSPs visibility into where companies are lacking protection. This will allow you to keep your clients fully secured and understand how to close the security gaps. Additionally, a framework like COBIT has certifications for you and your employees that expand skills and enterprise on IT.
5. Considering Your Clients’ Wants and Needs
Security is complex. It’s your job as an MSP to stay ahead of security threats, and implementing a framework allows you to do this. You are able to eliminate and reduce risk, as well as improve your posture within your client’s organization.
All frameworks have their pros and cons, so it is important to understand which best fits your clients’ business. Make sure you choose the right one to set up you and your clients for success.
6. Honesty about Your Security
Security assessments are an important reminder of the threats to which you could be most vulnerable. It’s best to be brutally honest during these assessments and map out a plan for improving your security. Drive your answers through an assessment and honestly consider what you do and don’t have through the resulting data.
7. Reassessing
Reassessing annually guides you to physically and analytically display to your clients areas in which you have improved. This improves the customer experience, establishing trust and reliability that their MSP is looking out for their best interests. Also, insurance companies can view your growth in understanding how safe and secure the business is. Constantly examining the framework will mature your organization, creating a return on security investment that will better manage your business.
Stay Secure and Protected
Data loss and downtime can destroy an organization. Using a framework gives you controls that notify you of any risk. Getting to a point where you feel safe and secure with your CSF will help you to efficiently run your business without the fear of data loss. Getting to a fully protected state could take years, but in the long run it will make or break your business. Take your time and properly decide the framework that’s best for you.