A Step-by-Step Guide to the NIST Risk Management Framework (RMF): Simplifying Risk Management for Small Enterprises – Source: www.cyberdefensemagazine.com

As the decade nears its halfway mark, ransomware attacks continue to dominate headlines across newspapers and website homepages. The relentless uptick in attacks shows no signs of slowing down, and small and mid-sized businesses (SMBs) are increasingly finding themselves in the crosshairs.

Thankfully, there’s a silver lining: the National Institute of Standards and Technology (NIST) and its risk management framework (RMF). Growing businesses can reference this RMF to arm themselves with practical strategies to fend off attackers.

Let’s dive into why ransomware actors are doubling back on mid-market companies and break down the key takeaways from NIST’s latest guidance.

A Change in The Tide

Small enterprises have always been prime targets for ransomware, but their share of the pie decreased in recent years as cybercriminals set their sights on bigger, juicier targets—think massive enterprises like manufacturers and healthcare providers. These were high-stakes heists, requiring coordinated efforts and serious investment from the attackers, but the potential payout was worth the investment.

Instead of the typical shotgun approach, hackers started performing surgical strikes on high-value targets, often using double extortion tactics (or as the clever folks at Verizon’s DBIR call it, “ranstortion”). Here, the attackers encrypt the data, exfiltrate it and then demand a second ransom to avoid leaking sensitive information.

But times are changing. SMBs are now making up nearly 80% of all ransomware targets as of the first half of 2023, a trend that has only solidified since. So, what’s driving this shift?

First off, law enforcement is cracking down on big organized attack forces, scattering their members and pushing many of them to go solo. Second, the rise of affordable ransomware-as-a-service (RaaS) toolkits is making it easier than ever for these lone wolves to launch attacks. These tools, designed for ease of use and automation, enable even low-skill attackers to launch a high volume of attacks, focusing on smaller businesses that can’t afford the same defense level as larger enterprises. Smaller payouts are just fine for solo operators because they don’t have to split the take.

With a new wave of cyber skiddies on the loose, how can IT admins at SMBs protect their turf?

NIST to the Rescue: An RMF for SMBs

Services in the security market flood the industry, often seeming out of reach for SMBs with tight budgets. Recognizing this gap, NIST stepped in with a structured, systematic approach tailored for smaller organizations. NIST recently published a quick start guide to its RMF called SP 1314. While the full RMF can feel overwhelming, this new guide offers nine pages of actionable tips, along with resources for individuals interested in digging deeper.

Unlike compliance standards that pile on requirements, NIST’s RMF is all about creating a repeatable cycle for framing, assessing, responding to and monitoring risk, making it adaptable to any organization, no matter the size or industry.

Here’s a brief breakdown of the seven steps NIST recommends:

1. Prepare: The first step is to lay the groundwork for your risk management activities. This step involves designating a project leader and identifying the assets that are most valuable to your business—such as customer data, financial information or intellectual property. You’ll also need to determine what expertise is necessary to make informed decisions throughout the process. This preparation ensures that your efforts are focused and that you have the right resources in place from the start.
2. Categorize: Once you’ve identified your key assets, categorize them based on their importance to your business operations. This process helps prioritize your security efforts, ensuring that the most critical systems and data receive the most attention. For example, you might focus first on protecting your customer database, then move on to less critical systems. This step is crucial for efficient resource allocation, especially in organizations with limited budgets.
3. Select: After categorizing your assets, compare them against NIST’s recommended security controls (detailed in NIST SP 800-53) to choose the ones that best fit your organization’s needs and budget. This process isn’t about applying every control available; it’s about selecting the ones that provide the best protection for your most valuable assets. You can achieve more effective security without overspending by tailoring your controls to your specific risk profile.
4. Implement: Implementation involves putting the selected controls into practice, which might include installing security software, training employees on new procedures or updating business processes. The key here is to start somewhere, even if it’s small, and build on that foundation over time. NIST’s RMF acknowledges that perfection isn’t necessary out of the gate—what matters is making progress and continually improving.
5. Assess: Regular assessment is necessary to ensure that the controls you’ve established are working as intended. This step involves checking your controls against the metrics of success you established earlier. Simple tools like checklists can be incredibly effective in identifying gaps or areas that need adjustment. The assessment process also provides valuable insights that inform the next cycle of risk management activities.
6. Authorize: Once you’ve assessed the effectiveness of your controls, the next step is to formally authorize them. This step involves defining a clear chain of command for decision-making, ensuring that everyone understands who has the final say on whether a system is adequately protected. Authorization provides accountability and helps streamline decision-making, especially in high-pressure situations requiring quick action.
7. Monitor: The final step in the RMF is ongoing monitoring. This process involves continuously keeping an eye on your security posture, watching for new threats and tracking any changes in your business that might affect your risk profile. Regularly update leadership on your security status to maintain awareness and readiness. Identify new risks and re-enter the RMF cycle to address them, ensuring your security strategy remains effective over time.

Remember: These steps aren’t a one-time deal—they’re part of an ongoing cycle of improvement. Every time you go through the process, you strengthen your defenses.

Implementing a formal risk management strategy might seem daunting, but NIST’s guide is a great place to start. It’s all about making security more accessible, no matter the size of your business. Remind yourself that perfection isn’t the goal—progress is. Each iteration of the cycle enhances your defenses and ensures your security plan continuously evolves.

About the Author

Zoe Lindsey is a Security Strategist at Blumira with over a decade of experience in Information Security. She began her infosec career at Duo Security in 2012 with a background in medical and cellular technology. Throughout her career, Zoe has advised organizations of all sizes on strong security tactics and strategies. As a sought-after speaker, she has shared best practices and recommendations at industry-leading events including RSA Conference, SecureWorld, and Cisco Live.