A research effort to better understand how government cybersecurity documentation has assisted small businesses in developing their own protection.
Introduction
When viewing security as a concept, what would you consider safe? Some might only think in terms of physical security, locking their house at night, keeping valuables in a safe, maybe even installing cameras throughout their front lawn. Unfortunately, in a modern world consisting of ever-advancing technology, this is not enough. As crazy as it is to think about the latest iPhone and how they have advanced by a seemingly impossible margin in just a few short years, technology as a whole has followed suit. This leaves many wondering just how safe they are online, while others relax under a false sense of security and choose to believe that they are without harm in a digital space. For me, this question has plagued my sense of imagination for about a year now, leaving me to uncover truly what it takes to remain safe in a digital climate.
The individual may be able to squeak by without needing to take the necessary precautions, however, this mindset carried into a business or infrastructure climate could spell disaster if not careful. While the individual with their newest MacBook can rest easy knowing they have the potential to be safe just by updating to the newest OS, a business framework cannot survive without proper preparations. Cyber-policy is not educated as clearly within a business setting as I believe it should be, therefore forcing those starting a business to approach the mindset of security on their own, or in some cases not at all, leading to their liveliness remaining open to attack. Thankfully, with the assistance of the National Institute of Standards and Technology, guidelines on how to keep one’s personal business secure have been released, allowing for even the smallest of businesses to keep themselves safe from attack.
Contributing Topic #1
The guideline in question originated from the NIST as part of Executive Order 13636 signed on February 12, 2013, which focused on introducing a system of sharing current cybersecurity threat information while also building an approachable framework for use in reducing risk in a business or infrastructure space (NIST, 2018). The framework is comprised of five main skills; Identify, Protect, Detect, Respond, and Recover, all of which combine to form an educated mindset on how to approach any possible vulnerability and therefore know the necessary skills needed to respond to that situation. {5} Although the framework does not provide particular systems used to protect against attacks or networks to monitor for vulnerabilities, it provides the tools necessary to recognize risk and know how to minimize the potential destruction caused by those situations. This is vital for any early developing business as the members might not have the necessary risk assessment skills needed in order to confidently respond to these types of attacks or quickly recover in case of emergency. The failure to do so could cost the new business vast amounts of money just to recover, or in worse cases set the budding company on an irreversible path to ruin. {4} The framework also provides information on how to defend against the most vulnerable portion of any network, the user domain. Although cybersecurity might rely heavily on firewalls blocking harmful data or algorithms to sniff out malware, cybersecurity relies also on physical security as well as personal security. The ability to understand vulnerabilities amongst your staff is crucial to maintaining a secure environment and can be used to minimize risk within the workspace as well. Anything from writing passwords on post-it notes to leaving access doors propped open, these vulnerabilities offer just as much danger as a piece of malware eating away at an internal network. Thankfully, however, these vulnerabilities are easily avoided with the help of proper training and employee communication. By using the framework, companies can develop a deeper level of trust amongst their peers as well as minimize their risk from within their most vulnerable domain.
{6} Comparing the framework and the skills taught within to a traditional data security system, the most common difference presented is that the skills offered within the framework are vastly inexpensive compared to other methods. This was something that was highlighted in the previous year as the COVID-19 pandemic forced many small businesses to an online environment. As the framework is more of an idea set compared to a network-based system, even those against the idea of internet-based marketplaces could learn the proper skills needed to safely run their business within a new setting. The inexpensive nature mentioned allows for these small businesses to operate without the risk of financially plummeting unlike other means of security which provides protection at a more cost oriented approach.
Contributing Topic #2
Opposed to the non-traditional means of data security offered by the NIST framework or other self-taught means of risk and vulnerability assessment, there are other means of data security that while providing excellent service to those that install it, come not only with many shortcomings, but with a hefty price tag as well. While these systems may seem perfect for what they do, many small businesses cannot afford to take the risk when implementing these systems as the price tag if not immediately beneficial could set them back almost indefinitely. The Supervisory Control and Data Acquisition system known as SCADA for short is one of these bigger network control systems that is able to monitor and even control infrastructure systems. {8} Although this system can prove beneficial for big name infrastructure companies due to the protective features it offers, any small business won’t benefit from this at all, and any startup infrastructure setting will be set back by the hefty price tag. A traditional SCADA system is estimated to cost upwards of $100,000 just to install the system with many other large price tags for yearly upkeep and maintenance (Sagues, 2013). The cost/benefit relationship with the SCADA system is although potentially positive when dealing with major issues over the network, however, the price for any developing infrastructure is not something to just ignore as it has the potential to harm the overall company.
{9} Of the many ways that cybersecurity has marked a change within our society as a whole, systems such as SCADA have proven that business interdependency within a global setting doesn’t exist solely within a market setting. While global markets are great for business, they sometimes can prove to harm infrastructure either through attack or competition. Systems such as SCADA while able to monitor for issues within the infrastructure network protect against cyber-attacks as well, something that has proven to be the new norm within the 21st century world (forcepoint). Our reliance on these types of systems stems not only from how it can assist us in day-to-day operations, but in how they can aid us in defending ourselves from these new types of attacks. {7} However, no matter how useful these types of systems seem, they are not without flaw. Unlike a simple framework or set of guidelines systems such as SCADA have the potential to fail or even disrupt operations due to the setbacks given. Unintended consequences in a cybersecurity environment originate from a false sense of security, or the feeling that you are safe without the fear of interruption. SCADA, while it has proven effective over the years, has decreased in effectiveness as technology has progressed. Some companies have reported more SCADA related vulnerabilities in 2019 than in any other year. Some claim that this relies within the system itself not having the update functionality to keep up with advancing tech, while others believe that the system is just unable to stressfully continue to operate under the conditions of our modern world (trendmicro, 2019). Whatever the case, the cost to benefit relationship is divided between a traditional system such as SCADA versus a non-traditional, more educated approach such as a framework like the NIST’s.
Conclusion
{10} Throughout the years, cybersecurity has changed how businesses have had to both approach problems as well as deal with them entirely. Socially this has altered both how businesses are ran while also changing how storefronts exist within a digital, modern climate. Especially throughout the COVID-19 pandemic, many brick-and-mortal storefronts have been forced to migrate online, unaware of truly the level of danger that exists on a digital landscape. These businesses have been forced to adapt, however, thanks to non-traditional methods of cybersecurity education, cost effective ways of keeping one’s business safe has proven to be a worthwhile approach. Opposed to this mindset, other more traditional mindsets of cybersecurity exist, such as the implementation of SCADA systems in an infrastructure setting. While costly and seemingly effective, these more traditional systems have struggled to keep up with the changing times, providing more and more vulnerabilities as the years move on. Modernism exists not within cybersecurity but alongside it, forcing each type of business environment to adapt not to what cybersecurity has changed, but to what cybersecurity is helping change.
References
Keller, N. (2019, November 21). History and Creation of the Framework. NIST. https://www.nist.gov/cyberframework/online-learning/history-and-creation-framework.
One Flaw too Many: Vulnerabilities in SCADA Systems. Security News. (2019, December 16). https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/one-flaw-too-many-vulnerabilities-in-scada-systems.
Sagues, P. (2018, January 22). Small Scale SCADA. Treatment Plant Operator. https://www.tpomag.com/editorial/2013/08/small_scale_scada_wso#:~:text=We%20needed%20a%20way%20to,administer%20%E2%80%94%20clearly%20beyond%20our%20budget.
What is SCADA Security. Forcepoint. (2020, March 25). https://www.forcepoint.com/cyber-edu/scada-security.