Cybersecurity frameworks are not enough to protect organizations from today’s threats

Critical infrastructure and global enterprises are increasingly being targeted by financially motivated cybercriminal gangs and even nation-state threat actors as cybersecurity incidents proliferate. Organizations today face multiplying threats and increasing risks due to a constantly changing threat landscape.

New cryptojacking and ransomware programs increased by 75% and 42%, respectively, last year, while OT vulnerabilities increased by 88%. In 2021, businesses experienced an average of 270 attacks, a 31% increase over the previous year.

Threats are expanding at a rate never seen before, leaving security teams to deal with the countless difficulties that these risks entail. Companies in the public and private sectors have adopted cybersecurity frameworks like NIST and MITRE ATT&CK to address the business risk currently at the forefront of cybersecurity board discussions.

Frameworks for cybersecurity are intended to assist organizations and governments in understanding, managing, and lowering their cybersecurity risk. The NIST framework is used by all 16 critical infrastructure sectors, including manufacturing and the energy industries, while MITRE ATT&CK is used by 80% of businesses. Leading organizations frequently use more than one framework to meet international standards and enhance cybersecurity outcomes, according to a recent ThoughtLab study.

The Cybersecurity Framework’s Shortcomings

The framework replaces the creative process of trial and error with a one-size-fits-all incentive: compliance with recommended federal standards. This approach has several flaws.

• Cybersecurity threats are always changing and can never be fully represented by even the most expertly designed flowcharts. By prioritizing rigid, centrally designed standards, policymakers are neglecting potent threats that are not yet on their radar.

• The framework’s jurisdiction is far too broad, using a definition of “critical infrastructure” that encompasses a wide range of firms and industries. Labeling everything as “critical” causes the classification to lose meaning.

•   

• The federal government’s own experience with cyber-threat notification processes is abysmal. Agencies routinely suffer data breaches and mandated cybersecurity procedures— when developed—are rarely followed and show few benefits. If the federal government cannot oversee adequate cybersecurity for itself, it is unlikely it can do so for the whole country.

• The Cybersecurity Framework does not end the federal government’s inconsistent practice of overclassifying cyber threats. Until cyber threats are adequately declassified and shared, firms and networks will be in the dark about possible attacks.

• The framework opens the door for rent-seeking and corruption. The parties identified to develop and implement the framework harbor clear conflicts of interest. The framework will add to the number of avenues through which corporations can extract public wealth for private gain.

A Better Solution: Retain and Strengthen Dynamic Cybersecurity

Promoting defense in depth and proprietary systems

• Today hackers are prepared for the most common tool, not the uncommon tools, use tools that are not massively used, and be part of your defense-in-depth strategy.

• Government should promote Zero trust and provide subsidized support for small and medium businesses.

• Cybersecurity insurance would promote proactive risk reduction efforts to decrease insurance company costs. Insurance companies would use audits and rate pressure to encourage clients with substandard security practices to improve.

• As a spillover effect, insurance companies would learn best practices from experiences with their clients. They could continually improve the net level of cybersecurity by developing better recommendations and standards. Still, insurance must stay focused and ensure effective control is in place, and not that the client is using the most common, since they are more likely to be compromised.

• Cybersecurity insurance would more accurately price and distribute risks and liabilities, leading to higher costs for high-risk organizations; risk organizations would be reported to FINCEN and be fined for negligence based on data and asssset in the custody