How to put the NIST Cybersecurity Framework into practice

| By:
John Ford

Managed service providers (MSPs) are under attack. In the modern era, where cyber threats are a daily occurrence, and no business is safe. This isn’t melodrama—it’s an inescapable truth.

For many years, MSPs were able to get away with their ‘house’ not being in order. They were always focused on their customers, their process, their systems. But those days are gone.

To help you start laying strong cybersecurity foundations that will protect both your business and your customers, Andrew gathered five top security experts for his webinar, Putting the NIST Cybersecurity Framework Into Practice. These included Wayne Selk, Director of Professional Services Strategy at ConnectWise, Wes Spencer, Chief Information Security Officer at Perch Security, Chris Loehr, President of Solis Security, and Harry Perper, Chief Engineer at the Mitre Corporation. He was also joined by Colonel Josh Potter, a decorated U.S. Army officer and Chief of the Transnational Threats Division, U.S. Special Operations Command (USSOCOM).

Together, they broke down how MSPs can prepare themselves and their customers for battle. Here are some of the key takeaways from their discussion.

Waging cyber war

Colonel Potter is no stranger to threats. At USSOCOM, he leads teams in the detection, disruption, and defeat of terrorist threat networks that transcend traditional geographic and regional boundaries. Since 2016, the USSOCOM has been orchestrating Dark Web takedowns across a network of cybersecurity specialists 60 nations wide.

“This is not a one- or two-industry threat,” Potter says. “We are looking at a societal risk that is going across our entire cyber environment.”

Recent research from FireEye reveals a 26% increase in malicious URLs quarter over quarter. As Potter explains, these threats aren’t just coming from individuals. State-sponsored agencies and organized crime syndicates are also responsible for countless attacks, adding a new layer of threat. These groups are highly creative, adaptable, and well-funded.

“Cybercriminals are searching for our vulnerabilities in order to exploit them,” Potter says. “They’re eroding public confidence and increasing costs. It’s happening every day, and it’s not just happening at a local level. Let there be no mistake—we are currently in an active cyber war.”

MSPs are on the front line

When cybercriminals attack organizations, MSPs will inevitably shoulder a lot of the blame.

“You are responsible for making sure it’s not your clients that are getting breaches,” Potter says.

The truth is, many MSPs may not realize how vulnerable their clients actually are—which makes adopting the right cybersecurity framework more critical than ever.

“69% of the small businesses we’ve surveyed had not identified and documented their cybersecurity threats,” Selk says. “48% had not analyzed cybersecurity targets and methods.”

These statistics are alarming. As an MSP, your customers are looking to you for protection.

But first, you need to make sure you’re protecting yourself.

The five pillars of protection

Not having the proper foundation can cause significant gaps in your security offerings, leaving both you and your customers vulnerable to attack.

To combat this reality, the National Institute of Standards and Technology (NIST) developed a Cybersecurity Framework that provides standards, guidelines, and best practices for managing cybersecurity-related risk. The framework consists of five foundational pillars: Identify, Protect, Detect, Respond, and Recover. Here are what those pillars look like in practice.

• Identify

Identification is a critical first step in the Cybersecurity Framework.

First, you should ask yourself: What’s running in my network? What are my assets, vulnerabilities, and risks?

“If you don’t know what’s in your network, you cannot protect your network,” explains Spencer. “That’s a fact of life.”

• Protect

Next up is protection, the process by which organizations develop and implement safeguards to build cyber resilience.

The unfortunate truth about this step? Eventually, it often fails.

“All it takes is one small human error,” says Loehr. “There are too many opportunities to allow attackers in. Customers can be down for days or even weeks as a result of the error made by the MSP, whether that’s a technical error or an error of judgement. It’s extremely painful—and it’s something the customer will never, ever forget.”

• Detect, Respond, and Recover

For Spencer, protection is the bare minimum that MSPs should be doing—for themselves and their clients.

“That’s called doing our jobs,” he says. “That’s due diligence.”

But the job doesn’t end there. Just as a lock won’t always keep a criminal out of your home, a cybersecurity measure won’t keep every cybercriminal out. At that point, detection and response are critical to minimize the damage and make a recovery possible.

“If you get hit as an MSP,” Spencer says, “that’s a game-ender. You lost full control.”

Adopting the same mental framework

The simple truth is that a lot of cyberattacks shouldn’t have occurred in the first place. Often, the true culprit is negligence.

“We’re not aware,” Spencer says, “so we’re not doing anything to protect ourselves. We’re like the ostrich with his head buried in the sand.”

With the right Cybersecurity Framework, though, you can dig your head out of the sand and actively defend yourself—and your customers—from attacks.

More than anything, a great framework raises awareness. “The NIST Cybersecurity Framework allows you to have a conversation from the geek suite to the C-suite and back,” says Perper. Cybercriminals may be waging war—but united by the same mental framework, your team can fight back.