Cybersecurity risks have been with us for generations. The first computer worm to spread extensively and take down thousands of computers was introduced in 1988. Five years earlier, a computer “virus” was first defined for us by Frederick Cohen. One of the first ethical “computer” hackers was sabotaging census machines in 1944 so that religious data was not read off of punch cards, protecting Jews in France from Nazi officials. Going back to 1903, a hacker decided to educate the public on the security flaws inherent of the telegraph by co-opting a public demonstration of a telegraph receiver and delivering a message of his own likening the inventor to the Pied Piper.
Today, our cybersecurity risks continuously increase. A cybersecurity risk exists where we have assets to protect, vulnerabilities surrounding these assets and threats targeting the vulnerabilities to get to the assets. As we adopt technologies to make our lives easier and businesses run smoother, we add more vulnerabilities around the assets we need to protect. Threats come in many forms: a hacker who’s in it just for fun, a disgruntled employee looking for vindication, an outside agent looking to steal data, even a hacktivist operating under the belief that data should be available to everyone.
To minimize cybersecurity risk, we must know our assets, identify our vulnerabilities and recognize potential threats. Assets are the easiest to identify: What holds value for your business? Data, records, systems, processes, all of the above? Vulnerabilities include any weaknesses that can expose your assets to a threat. Vulnerabilities may include location, security, controls and lack of employee awareness. Threats are out there so any vulnerability should be identified and addressed. So, how do we identify and address these vulnerabilities? We turn to frameworks and standards to help us plan to address cybersecurity risks.
The NIST Cybersecurity Framework and NIST 800-171 provide great starting places. The NIST Cybersecurity Framework provides guidelines and best practices to help us manage our risk. It provides a flexible and prioritized guidance to identify and protect our resources, detect threats and respond and recover from attacks.
NIST 800-171 defines how to protect data, information and materials. This set of standards serves as a solid starting point for cybersecurity planning. Going through these standards will take us through our systems, controls and policies to identify gaps and vulnerabilities. We can use these standards to build a plan for cybersecurity compliance that can grow as we do. When we are fully in compliance with NIST 800-171, then we can have confidence that we are cyber-prepared to minimize risks we may face.
We have moved well beyond punch cards and telegraphs and well past the security changes put in place to address those historical hacks. We are past the time where viruses and worms were rare and a good antivirus program was all we needed. Now we face high-digital interconnectivity and the threats to come. Following the NIST Cybersecurity Framework and NIST 800-171 standards can put us in a place to respond to cybersecurity attacks that are growing in complexity and increasing in number.
If you are interested in minimizing your cybersecurity risks, but aren’t sure how to begin, NC State Industry Expansion Solutions has created a free cybersecurity toolkit which you can download today. Industry Expansion Solutions (IES) is the administrator for the North Carolina Manufacturing Extension Partnership (NCMEP).
Davis, Amanda. A History of Hacking. The Institute. IEEE. March 2015. http://theinstitute.ieee.org/technology-topics/cybersecurity/a-history-of-hacking
NIST. Cybersecurity Framework. https://www.nist.gov/cyberframework
Katherine Bennett leads the Instructional Design team for NCMEP partner NC State Industry Expansion Solutions. She also serves as project manager for instructional design services. Katherine plays a key leadership role in supporting the IES goal of providing instructional design and development expertise that complements the field-specific expertise of IES partners, while meeting the learning needs of target audiences. Katherine holds a bachelor’s degree in Computer Science from the University of North Carolina at Charlotte and a master’s degree in Instructional Technology from East Carolina University.