Cybersecurity frameworks are structured guidelines, best practices, and standards designed to help organizations manage and improve their cybersecurity posture. While cybersecurity may appear complex, it often isn’t the case. The same applies to frameworks—many of them become quite straightforward once you delve into them. How to understand them and use them to your advantage? Dušan Kaštan, the cybersecurity specialist from ESET, offers his perspective and valuable advice.
Understanding cybersecurity frameworks: Simplifying the complex
When people think of security frameworks, they are often scared by their complexity. What is your opinion on that?
Perhaps, one of the problems is that when you look for information online, navigating the plethora of sources and finding helpful advice can be a challenge. Many articles you may come across try to summarize frameworks, but they are unreliable and mix old data with new ones. Or they are putting together frameworks that focus on completely different parts of the business and then tell the reader “Now choose.” However, an organization would most likely benefit from using all these frameworks at once.
The purpose of various security frameworks is the same—to protect your business. But they often try to achieve that goal through different steps. As a result, you should not rely on just one framework to protect your company. Ideally, go through three or four of them and use them to protect your business from multiple angles.
So, if I was a company owner, where should I start with frameworks?
The easiest and most practical way to start is to imagine your own home as a small company and try to apply the framework there. This is something anyone can do, not just business owners. It can help you truly understand the frameworks, see their scope, and feel the effects.
Isn’t this quite difficult and perhaps unnecessary for some business owners, such as those who outsource their company’s IT?
On the contrary. Understanding the frameworks is important even if you outsource or use an MSP for your company’s IT. Imagine you want to buy some services from an MSP, but you don’t even know what those services are or what they entail. Or you need to choose between various services, but you have no idea what the difference between them is. That makes no sense, does it? Testing the frameworks on your own can be beneficial to any business owner—and, in effect, their company.
Cybersecurity frameworks are based on real-life situations and common threats. And since technology is a highly dynamic field, they change over time. This is why you should always pay attention to the date of publication and use frameworks that are up to date.
Practical steps for implementing security frameworks
Which framework is optimal for “home” test?
A good place to start is the GCA Cybersecurity Toolkit. It can help you with your first steps into the world of security frameworks. You can pick from different toolkits, based on whether you’re an individual, a small company, and so on. Each toolkit describes various aspects of cybersecurity, such as encryption, password security, backups, and more. It then guides you through covering all these possible vulnerabilities, one at a time. If you omit any of them, you remain vulnerable. And this is a common problem.
For example, IT professionals often know about phishing, so they download software that can help them with this issue—but there are also parts of cybersecurity they find too complex and don’t want to deal with, such as encryption. Their solution is to just skip these, which ultimately means they remain exposed. Cybersecurity frameworks can help IT professionals be more systematic and not overlook any of the essential steps.
When it comes to frameworks, where would you start?
CIS has a good guide you can follow. This framework is especially useful for SMBs, but even larger businesses can benefit from its use. It has several layers that you can apply, starting with the first one and getting more complex as you go. The main rule is to fulfill all the points of the first layer to move to the second one, then the third one, and so on. For small businesses, maybe only the first layer may be needed, but larger businesses can—and should—proceed to the second or third layer.
What about the NIST framework?
This one is a bit more theoretical. It is also more multifaceted. When you investigate it, it covers risk assessment, for example, which is not described in the CIS framework. On the other hand, it is not as instructive as CIS. While CIS tells you what you need to do, NIST points at some aspect of your security and tells you, “Here are the things you should have covered.” If we connect the CIS framework with NIST, we end up with a very useful combination. While NIST tells you about the many different assets you should secure, CIS can be your step-by-step guide.
Useful links
To get more information about the CIS framework, click here.
To see the different layers and learn how to implement the CIS framework, step by step, click here.
To read answers to some of the most common questions about the CIS framework, click here.
To get more information about the NIST framework, its benefits, and possibilities of implementation, click here.
Let’s go back to the basics. How would applying a security framework look like in reality?
All you’d need to do is follow the steps described by the frameworks. For example, the CIS framework advises starting with a detailed asset inventory. After that, the second step according to the CIS framework is software inventory. That means that you should be asking yourself: Which software does our company use? How many instances of each software are there? Are there any unused apps on our devices that haven’t been updated recently? Each vulnerability on a device can potentially be a vulnerability to the entire company, so you should gradually eliminate all potentially insecure apps.
That is quite useful.
Yes, that’s precisely my point. Many employees don’t feel the need to follow a security framework, and even business owners often believe that cybersecurity is something only their IT team needs to focus on. Frameworks can be useful on a wider as well as much smaller scale. Cybersecurity frameworks are not just a piece of paper full of rules written by some unknown smart person. They exist for your benefit, helping you avoid security gaps that you might otherwise overlook. The key is to learn how to use them effectively.
Common misconceptions and overlooked vulnerabilities in cybersecurity
What are some cybersecurity holes that companies often overlook?
To provide a precise answer to this question, I would need access to a vast amount of data—which I don’t have. However, I can share insights into which assets are most commonly targeted by cybercriminals. There appears to be a clear connection between these targeted assets and overlooked vulnerabilities. Cybercriminals focus on what they perceive as the easiest entry points. But to get to the answer, many attacks target mobile devices. Weak passwords and lack of encryption are also often an issue. Finally, I believe companies also commonly fail in one of the most basic practices: having a perfect overview of which devices they have in their system.
ESET PROTECT has the ability to retrieve hardware inventory details from connected devices such as details about a device’s RAM, storage, and processor. You can even create custom dynamic groups based on the hardware inventory details of connected devices.
What are, in your opinion, some common misconceptions about frameworks or cybersecurity in general?
Employees often associate cybersecurity with very complex threats. But the most common—and thus most dangerous—threats are often quite simple. For example, employees assume that someone may hack their phone and get to their data. In reality, it is much more usual for hackers to wait until someone enters their credentials in a public place and then steal the device when it’s left unattended. This issue could be easily avoided if companies paid more attention to the basics of cybersecurity—and sometimes security in general. There is also another common misconception that comes to mind.
Which is?
Companies, especially small ones, often wonder: “Why would I be an interesting target for hackers? Surely, they have bigger fish to fry.” Unfortunately, this belief sometimes leads companies to neglect cybersecurity. However, the truth is that not all attacks specifically target companies. Many cybercriminals attack indiscriminately using tools like Ransomware-as-a-Service and similar methods. Paradoxically, this lack of attention makes small businesses the perfect targets for cybercriminals. Therefore, even small businesses must prioritize cybersecurity, and implementing frameworks can significantly enhance their defenses.
