How to Manage Ransomware Risk: (NIST Framework Part 1: IDENTIFY)

How to Manage Ransomware Risk: (NIST Framework Part 1: IDENTIFY)


Jed Fearon

Solution Advisor, 17+ years of experience in MSP Solution Development, Sales and Marketing Communications

Welcome to part one in a series of five blogs created to help you manage ransomware risk with the NIST framework.

NIST is short for National Institute of Standards and Technology. In a world of infinite hardware, software, and cloud options (and opinions), this non-regulatory agency and their Information Technology Laboratory (ITL) produce a never-ending and iterative catalog of compliance-friendly publications (blueprints) to guide your IT journey.

NIST’s technical leadership fuels the U.S. economy and public welfare with measurement and standards recommendations (based on extensive testing and analysis) to advance the development and productive use of information technology.

Why should this matter to you? NIST continuously develops management, administrative, technical, and physical standards, along with guidelines to inform and prioritize cost-effective security and privacy initiatives for your business.

They’re doing most of the heavy lifting, so you don’t have to! And your burden will be even lighter if you allow your MSP (and their vCIOs) to play a commanding role in guiding your journey.

The Ransomware Problem

As per NIST, “Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. In some instances, attackers may also steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public.”

Learn More: NISTIR 8374 Draft

While managing risk always involves new budgetary considerations, your costs will be offset if your organization harnesses thoughtfully planned and architected technology to grow your business AND to avoid being torpedoed by ransomware attacks and legal episodes.

The outcomes you wish to avoid are almost always much more expensive than preventative measures!

Learn More: Ransomware Costs Besides the Ransom

NIST Framework Part 1: IDENTIFY

The following six functions are foundational for the first phase. Your major stakeholders (IT steering committee) and your vCIO will cast a wide net to capture and classify all of your people, processes, and technology.

Learn More: IT Steering Committee

Getting everyone on board is critical for this ground zero inventory exercise. No silos, hidden compartments, or secrets are allowed.

One-hundred percent transparency is required for the framework to match what it’s designed to protect and make more resilient.

1 - Asset Management

This broad sweep encompasses cataloging and prioritizing the role all employees, IT systems, workstations, mobile devices, data, and facilities play in fulfilling your business objectives and risk strategy.

Think of this as a spring cleaning that reduces complexity and won’t need to be repeated with as much rigor in the future, and you’ll approach the endeavor with a little more energy and optimism.

You’ll need this for the data organization part—a lot of SMBs struggle with deciding what to keep and what to delete.

Don’t get me started on the quest to find information that has been squirreled away for years on corporate file shares and off-the-radar user desktops, and unauthorized cloud apps.

2 - Business Environment

What is your mission? And which objectives, stakeholders, and activities need to be reviewed, prioritized, and aligned for success?

Answers to these four questions will define individual cybersecurity functions, duties, and risk management choices.

3 - Governance

The management, administration, and monitoring of cybersecurity risk require formal policies, procedures, and processes.

Each forms a body of work that shapes your approach to regulation, legal threats, environmental hazards, and operating prerequisites.

Some examples include:

  • Prevention (basic blocking and tackling)
  • Mitigation (limiting the damage once there’s an incident)
  • Contingency planning (system resilience to prevent a breach from taking down the business)

4 - Risk Assessment

Testing, scoring, improving, and repeating the drill are the best ways to stairstep your way into a higher state of cybersecurity resilience.

How would a ransomware attack affect your operations and reputation? Do you understand the potential costs and PR fallout?

It’s a lot different for a large corporation with hardened infrastructure and built-in redundancies. A small business with a best-effort network and no backup plan could lose everything.

5 - Risk Management Strategy

At this stage, the organization is up and running with the program. It’s established and enforced. Now key stakeholders are responsible for keeping it together to make and sustain operational risk determinations.

Since it’s dependent on stakeholder buy-in (which may wax and wane from time to time), an experienced vCIO can serve as a stabilizing coach and referee.

Managing ransomware risk is a process as opposed to a final destination. And every company starts at a different place.

Learn More: Profile of vCIO Services

6 - Supply Chain Risk Management

Not only does your own house need to be in order, but you must also consider third-party supply chain risk.

This requirement makes sense because businesses are only as secure as their weakest link. However, not everyone has the luxury of using vendors they know, like, and trust, who also take the same formal approach to cybersecurity.

If you’re not ready to conduct ransomware contingency planning and testing with suppliers, I recommend reviewing independent audits and cybersecurity insurance policies.

Forward-thinking businesses invest in annual reviews from independent auditing firms and robust insurance coverage for two reasons: to maintain compliance and market themselves to risk-averse clients.

Insurance companies require their clients to have advanced cybersecurity technology in place to qualify for coverage and payouts. And most of it is driven by NIST standards.

Learn More: Cybersecurity Insurance Coverage Trends

I would also keep your vendor options open.

What’s Next?

I hope you are getting more comfortable with the NIST ransomware management basics.

The success of your mission hinges on business-enabling technology strategically planned to boost operations and minimize disruptions of any kind.

Related blogs covering the four other pillars of the NIST Framework (Protect, Detect, Respond, and Recover) are on the way.

If you enjoyed this article, you might also like some of the related content in our free eBook.