As of the recording of this podcast, the third week of April, the world is still in varying stages of the Global Coronavirus pandemic and shelter in place requirements. Many companies and their AP teams were abruptly sent home to work whether the company or the employee was prepared to deal with, among other things, the increased cybersecurity risks. Today I have on the podcast, Korinne Jackman, who will explain in detail the NIST Framework that was designed to help companies of all sizes put a plan in place to better manage and reduce cybersecurity risk.
What We Discuss
Keep listening.
Check out my website www.debrarrichardson.com if you need help cleaning your vendor master file or implementing authentication techniques, internal controls and best practices to prevent fraudulent payments.
Subscribe today to be entered in the subscriber-only monthly drawing to win a free Putting the AP in hAPpy Coffee Mug.
Links mentioned in the podcast:
NIST Links:
As of the recording of this podcast, the third week of April, the world is still in varying stages of the Global Coronavirus pandemic and shelter in place requirements. Many companies and their AP teams were abruptly sent home to work whether the company or the employee was prepared to deal with, among other things, the increased cybersecurity risks. Today I have on the podcast, Korinne Jackman, who will explain in detail the NIST Framework that was designed to help companies of all sizes put a plan in place to better manage and reduce cybersecurity risk.
What We Discuss
Keep listening.
Check out my website www.debrarrichardson.com if you need help cleaning your vendor master file or implementing authentication techniques, internal controls and best practices to prevent fraudulent payments.
Subscribe today to be entered in the subscriber-only monthly drawing to win a free Putting the AP in hAPpy Coffee Mug.
Links mentioned in the podcast:
NIST Links:
spk_0: 0:08
Hello, everyone. This is several Richardson, and today I am putting the AP and happy where accounts payable teams are empowered to protect the vendor master file from fraud. This podcast will give a voice to accounts payable team members by talking about the growing reality of cyber attacks in their world and which vendor set up and vendor management techniques they can apply to protect the vendor master file from fraud. If you or your team members are processing requests that you received via email to change vendor banking, please register for my free webinar protecting Bender Bank details when you receive changes via email beyond the phone call that webinar will be on Wednesday, April 26 starting at 10 a.m. Central time, it will be live, but if you are listening to this podcast after that time, the recording will be available as well. Go to www dot Deborah are Richardson dot com slash webinars form or information on this and future Webinars. As of the recording of this podcast, the third week of April, the world is still in varying stages of the global Corona virus pandemic and shelter in place requirements. Many companies and their AP teams were abruptly sit home toe work, whether the company or the employee was prepared to deal with, among other things, the increased a cyber security risk. So if you and your company fall into that category, keep listening. Welcome Toe Episode 80 The NIST Framework Free Guidance to manage and reduce cyber security risk. Today we're talking a bout Missed an I S T and mist is a framework. It is voluntary guidance based on existing standards, guidelines and practices for organizations toe better manage and reduce cyber security risk In addition to helping organizations manage and reduce risk, it was designed to foster risk and cybersecurity management communications amongst both internal and external organization stakeholders. And this topic is very timely now, as of the taping of this podcast episode, because we're in the middle of a shelter in place in the U. S. And many employees are working from home, which will no doubt trigger additional reviews and revisions, toe organizational security and business continuity plans now and when those employees return toe work today I have with me Corinne Jackman and Corinne is currently a student at the University of Maryland Global campus, majoring in cyber security, management and policy with a minor in terrorism and critical infrastructure. Sure, she'll be graduating December 2020 and she has a background in Elektronik funds transfer on my Banky payment systems. Point of sale, training, public speaking, payroll accounts receivable and accounts payable benefits, administration, social media, marketing and public relations. So welcome, Corinne.
spk_1: 4:14
Hi, Deborah. Thanks for having me on today,
spk_0: 4:17
So I gave a brief introduction, but you want to talk a little bit about your background and and kind of what brought you to cyber security?
spk_1: 4:25
Well, that's an interesting question. What brought me to cybersecurity is ah, long longtime interest in computers dating back from when I was with the most a TM network. We were the fifth largest a TM network in the nation at the time. And now we don't have local A T. M. Networks were just working off of MasterCard and Visa, which is fine, that the consolidation doesn't hurt. But after I took time off to raise my two boys, I decided it was time to re enter the workforce. And I chose cybersecurity because, as I said, my long cultivated interest in computer technology, so I took on the minor and terrorism and critical infrastructure because of the threat of cyber warfare and its potential impact on our everyday lives. And when we talk about critical infrastructure, we're not just talking about bridges and roadways in electricity. We're also talking about the financial sector that that's one of the 16 critical infrastructure sectors, and it plays a huge part in our lives every day. Every business has a fine Angela aspect to it, and that's why we're here today, discussing the risks to companies with a R N a P
spk_0: 5:37
to that end, then let's talk about Miss Purpose and I S T. And it's an acronym. And if you could give us an explanation of that and where mist came from and our companies, you know, actually using it to reduce cyber security risk.
spk_1: 5:54
Sure. So NIST is the National Institute for Standards and Technology, and it was established in 1901 during the height of the Industrial Revolution as a means to ensuring the United States maintain the ability to compete with other countries both economically and technologically and as a part of the Department of Commerce. NIST is tasked with developing standards that inform all 16 critical infrastructure sectors with programs cover everything from atomic power to computer science to earthquake resistant skyscrapers. Wow. So the framework we're discussing today is actually called the NIST framework for improving critical infrastructure cybersecurity, and it applies to all 16 sectors of critical infrastructure. The Impetus furnace Developing the standard was an executive order 13636 Improving critical infrastructure cybersecurity that was signed by President Obama in February of 2013. Section seven of the order gave misty authority to develop the framework in a way that would allow businesses to ally in policy, business and technological approaches to tackle cybersecurity. And the goal in using the framework is to take an agile approach that prioritizes risk. It's flexible, can be used over and over that it could be reviewed and revised based on how the policy performs in a real world scenario and provides the cost efficient or effective means of securing the infrastructure. The point of any security policy should be to enhance security without impeding business function and the framework assist businesses and developing Justin to plan. So because the standards are voluntary and nearly all 16 sectors of critical infrastructure are composed of private enterprise, it's difficult to know for certain how many businesses have the deployed. The framework to develop their cybersecurity programs as reporting is also voluntary. But that said, there has been some research done to determine how many businesses air putting the guidance to use. For example, Gardner research revealed that as of 2015 approximately 30% of businesses in the U. S had adopted the framework and they projected that number would increase to 50% by 2020. And that number may seem small, but it's important to remember the framework is a voluntary standard, and many organizations may not realize how it would successfully translate to their business. And there are, however, strives being made in promoting that widespread adoption. For example, the National Restaurant Association has produced a training guide titled Cybersecurity one a one, a tool kit for restaurant operators that explains the framework and assist restaurant operators in adopting a company wide cyber security approach. The association was even partnered with Mist, the former working group, to develop an industry specific framework and in addition to that, both the U. S. Chamber of Commerce and the better Business Bureau have adopted campaigns to promote the use of the framework, so hopefully that will have a positive impact and result in an increased in framework adoption. And then this standards, especially the cyber security framework, also have a significant impact on the international business community and are seen as a valuable resource. So when we're discussing the framework, it's important to emphasize its usefulness as a risk management tool to help a business design, develop, implement and maintain a security program that protects its assets without impeding business functions. The framework isn't designed to be the protection it's designed to guide a business through the process of developing a security policy. That means it's specific needs supporting his overall mission of business goals while protecting the business assets of functionality.
spk_0: 9:34
Wow. So I think it's a good point that the NIST framework identifies that the point of any security policy should be to enhance security without impeding business function right, And then the framework helps businesses develop a plan that does just that. And I think that peace is important because it means that businesses don't have to be afraid that implementing this plan will somehow hurt their business or impede their business processes when really it's there to help them. And so let's talk about the Miss Cyber Security framework. The five functions of identify I protect, detect, respond and recover. So can you just give us an explanation of what each of those means and then kind of talk about why they are important, why they should be used,
spk_1: 10:25
right? That's a great question. And to your point, a lot of the resistance that we get to implementing a cybersecurity program is because they're worried stakeholders or where it will be too cumbersome. And if it's too cumbersome than the staff's not gonna want to follow through with it, and that's that's a huge problem. So when we break it down into these five specific frameworks, then people can see how they can adapt that to their company. So it's important to understand what each of these functions mean and how they help in organization secure their assets both physical and digital. So the five main functions of the framework represent the strategies of business should you use to develop a robust security posture that meets their needs. Even though it's a generalized framework. Each business should tailor it to meet their own business goals and their own functions. So the five functions we're gonna discuss aren't considered the core of the framework. First, we identify function is designed to help an organization examine their vulnerabilities and then to identify the risks involved in contacts with their specific business organizations to start by identifying all of its assets, from facilities to equipment to people. It all should should identify its supply chain and other relationships. And once a comprehensive list has been identified, the organization needs to identify the vulnerabilities, inherited each segment of that list, determine the risks involved and then prioritize those risks from most to least impact on business function. And in this phase, it's also a good idea to examine. Any policy is already in place, such as an asset management policy or any security policies and use or risk management policy to determine the vulnerabilities in those policies. And this function is critical to developing a successful security program. You can't protect what you don't see, so knowing all the components of your business is of paramount importance in designing a program that covers the entire business on this offers guidance in assessing and managing risk, and that could help businesses understand what risk is. Then identify and manage it in the NIST S P 837 risk management framework for information systems and operations, and then with Mr SP 830 are one guide for conducting risk assessments,
spk_0: 12:46
and we'll have links to that in the show notes.
spk_1: 12:48
Great. Okay, So in the protect function, the organization develops the plans and policies to secure the assets and functions identified in the goal in designing protection is to ensure business functions can continue by limiting the impact of cyber security incidents. Basically, what you're trying to do is protect your system by putting into place processes and procedures that reduce vulnerabilities and exposure to threats.
spk_0: 13:15
And Korean just interject here. That is really where I live. I have authentication techniques, internal controls and best practices, and those are all on the process side. So just to emphasize here with this protect core function that it's not all about I T. It's also about your process is a swell
spk_1: 13:36
right. Processes are really, really important, and it's also important that when you set them up that you could get the buy in of your staff. Yeah, about that a little later, sir. Okay. All right, well, so the next function of the framework is detection, which is the plan the organization will put in place to discover cybersecurity events and detection involves monitoring networks and systems for activity or traffic out of the ordinary. But I have to emphasize that it also involves on a non technical side. Monitoring your process is you have to make sure that those processes are still functioning the way you want them to be functioning and that they are detecting any anomalies. This is important because of strong detection. Plan will greatly reduced the time it takes to discover a breach or an infiltration or in a non technical sense, some other type of malicious activity. And it's allowing the organization the opportunity to reduce the negative impact on its business. So this also has another dander to help with this for the technical side. And that's the NIST s P 894 guide to intrusion detection and prevention systems and that could be used by businesses as a guide to developing their own detection program. On the technical side, the Intrusion detection guide breaks down the components and technologies involved in an intrusion and protection system and is a useful resource, especially for organizations attempting to stand up there first program. So once the detection plan is in place, the business should move on to designing a plan for how it will respond to a cyber security incident. N'est also hasn't the standard Best Practice Guide for Incident Response, which is n'est SP 861 are two computer security incident handling guide that will help businesses understand the process in detail and then design a program that meets their specific goals and needs. Incident response planning involves creating a team assigning specific response tasks and defining individual position responsibilities. And some larger organizations may decide to create a standalone team to respond to incidents. But small and medium size enterprises may find it more appropriate or even necessary, to create that team within the larger I T staff in the key here, as with each function within the framework, is to understand an address of specific needs of your organization. When we talk about response, we should be addressing isolating the threat so that it can't spread throughout the networker system and then taking corrective action to resolve the threat. You can't begin to get back to normal until you've eliminated the cause of the event, and this is exactly what a business would need. Those activities toe work,
spk_0: 16:25
and that's a good point to cause. When I was at a larger organization, we did have a completely separate team that dealt with information security. And so they were the ones that rolled out the different controls and the different processes that we needed to take in order to make sure that we were protecting our company assets. So it was, ah, completely separate. Eve didn't have anything to do with the I T staff, but I will say with some smaller companies, I interviewed an AP manager, and one of the things she pointed out as far a cybersecurity is that even though they also had a separate team, the employees paid more attention when the I t stat that they have been working with for all of their I t. And your needs, when that staff also endorsed it. So while it may be a standalone team, it's still important that, you know, you get all stakeholders involved in awe stakeholder groups supporting the plan because sometimes you never know the motivation behind employees actually following through and doing what's been put into place,
spk_1: 17:32
right? So one of the problems for a small business or I should say issue is that they may not have the money toe have a separate staff. So that's why it's more effective to have it be part of the I T team now, as far as getting that buying that we talked about, this is where it's important. Like you said, that the employees were more apt to follow along and go along with the program if it was endorsed by I t. Two things there. First, the onus on that is on the executives or the management staff because they need to make sure that all staff understand that there's a cyber security team. But they are part of I t. They might have a separate function, but they're not separate from the team itself there. The whole company is a team, so if people are looking at them, it's separated. Well, if I t isn't gonna endorse it, then I'm not gonna pay attention. That's a function of failure of management. They really need to make sure that the whole team is functioning as a cohesive unit. So that's number one number two. It's also really important that all staff, technical and nontechnical understand that cyber security isn't the responsibility of one entity. It's not the responsibility of the cyber security team or the I T staff. It's the responsibility of every single person in that company, from the janitor's to the chief executive officer. Everyone has a responsibility for cybersecurity, and they should use the tools that they have to make sure that they're maintaining a secure environment. It's called cybersecurity hygiene, and everybody needs to be part of that, not just the I T or cyber security team.
spk_0: 19:13
Yeah, great point. If any listener wants to listen to that episode, it is Episode 66 its cyber security from accounts payable Manager's view. And from that she really goes into Corinne. Exactly. You know what she did in order to ensure that her employees were following the processes that were put into place, and I think you make a great point. That is really management's responsibility to make sure that is done because the company is one whole team. It's not just the different departments, it's a cohesive team, and everyone needs to follow those processes that are put into place
spk_1: 19:54
in a larger enterprise. They would have a compliance team. They would have somebody on staff, maybe under the general counsel's office that would oversee governance and compliance because there's a lot of liability issues involved as well. Yeah, but in a smaller group, in a small to medium business, using the framework helps understand the importance of compliance and governments. There's plenty of resource is available on the NIST website that help with that, but it does open the door to the importance of having someone on the team whether it's in I T or if there's a general counsel or whatever. That is familiar with governance and compliance and can help. Basically, what you need is a policy wonk. You need somebody in there who can develop the policy and so that they can then train the manager's on how to govern at their own level. So it should be like a trickle down, ideally, you know.
spk_0: 20:56
Yes and thanks Corinne. So far you have covered four of the five core functions of the Miss framework you've covered, identify, protect, detect and respond. And so now we're up to our last one.
spk_1: 21:12
The last of the five functions of the framework is recover, and it addresses the plans the company will develop to ensure business continuity and the restoration of business functions. And as with the previous functions, NIST has a best practice guide for recovery. It's n'est SP 800 won 84 Cybersecurity Invent recovery. The businesses should use to develop their own recovery strategy to restore their systems of processes. And this would involve recovering backups to get the business up and running etcetera. S O. The framework has been designed to guide every business, no matter its sizer industry in designing a security plan that will meet the specific needs of the business in such a way that the plan successfully enhances security without impeding the business operations and functions the larger organizations. We have people on staff with significant experience standing up a security program and they may not need a guide. However, every business could benefit from using it, especially small to medium businesses that have little to no experience developing security protocols. And it's a myth that not every business needs a security policy. Every business uses computers, and every business has some form of payment system in place, an absent significant experience in designing a standing up the security program. The framework will guide the organization through the processes that will help them develop a security program. It's an incredibly valuable tool to use, even if you're a mom and pop business.
spk_0: 22:40
So I think that's an important point to make that no matter how small you think your company is, if you're using computers, you need to have a security policy in place. So right that Mom and Pop used to have that security policy in place. And so thanks curry for explaining different functions of the Miss Cyber Security framework. The identify, protect, detect, respond and recover. You mentioned that this framework has been around since 2014 but I know that it was revised in 2018. So can you talk about what changed? What was at it?
spk_1: 23:18
Sure well, the first iteration of the framework covered the five functions we just discussed, and then in the revised version, the framework was divided into three components. Core tears and profile and the five functions we just discuss are the core. Okay, so in the tear component, businesses are rated according to the extent to which their business risk management practices. Ah, line with the framework and the tears range from Tier one, which indicates partial alignment to tear to risk informed tier three repeatable two tier four adaptive, which means the businesses risk management functions are able to adapt to its changing needs, goals and environment. Ideally, the goal should be a rigorous approach to risk management that's fully integrated into business functions and decision making and includes a high level of cybersecurity communication. The organization engages in with its external partners that lands an organization in Tier four. But each business has to determine for itself where it wants to sit along that spectrum.
spk_0: 24:22
It's like a system to score itself. Yes, exactly. The score itself,
spk_1: 24:28
okay, and they can decide like where they want to be. And honestly, you're not going to just come out of the chute into your four. So you're gonna actually progress through in as you're developing a program, so that also gives them a benchmark. Okay, so here we have the first goal. It's tier one, and then they move forward from that. Okay, so the final component of the framework is the profile, which describes how the organization has aligned its business requirements. It's risk, appetite and three sources to the desired outcomes of the framework. Or and one of the benefits of the profile component is that it allows an organization to see where it may need to make improvements to its cyber security posture by optimizing the framework in such a way to maximize its benefits for the organization. So the business determines its current profile and decides on a target profile, then utilizes the framework to make the necessary changes. And this works for companies new to the entire process and for those re evaluating their security protocols.
spk_0: 25:29
Okay, so they get to evaluate and then score themselves using the tear component and then with the profile, they identify what their risk appetite is and desired outcome. So the tear and the profile are really designed to document there criteria and then also to measure where they are, right? Okay, so I've seen reports that say phishing attempts have increased by 600% because the bad guys know that employees are currently working, distracted from home. I mean, they're trying to homeschool. Kids are trying to do work. So what would you say is the best IQ vice organizations to reduce their cyber security risk, especially now using the NIST framework?
spk_1: 26:23
Well, we do live in interesting times, and we are all suddenly remote workers where we weren't before. And so that means a lot of companies weren't prepared for that. Maybe some companies didn't allow remote working at all. Yeah. Um, and those who did probably already had some type of plan in place toe to protect their organizations. At least we hope they did. Ah, that's not always the case. So there's several things that need to be done. So let's back that up a little bit and pretend that we're pretty pandemic and we're we're not working from home yet because that's going to be part of the process to roll something like that out. So let's let's pretend we're living in a perfect world and we have the opportunity to first see into the future. We may need this functionality, right? So the first thing businesses need toe accurately identify their risk. So you have to know what you're up against before you can develop a plan to fight it and tow bar from a time honored phrase you can't fix. What you don't know is broken. So businesses need to identify all their assets, their functions and relationships and do a full risk assessment so that everyone is on the table. Everything. Then, using the NIST framework, another tools. Develop a mitigation plan to address those risks and ensuring the steps taken, reduce the vulnerabilities and provide staff with the tools to identify, protect from, respond to and recover from any incidents. And this should include a plan to help of technical and nontechnical employees. Understand risks to the organization and the part they play in the cyber security posture of the company. So it's critically important that staff know that cybersecurity is everyone's responsibility, and they should be empowered with the information and tools they need to participate in protecting the company's assets. Companies often skip this important step, but in order to successfully mitigate risk, management needs to recognize that humans are the weakest link in the cyber security chain. So while malicious activity does account for some of that negligence and ignorance are equally important factors. And to address that companies need to educate employees on how to be good cyber security stewards. The way you do that, the way you encourage employees buy into your security program, it's to education and communication. So finally, as part of the organization's overall preparedness and security posture, AH, disaster recovery, business continuity plans should be included in the policy development to ensure any event such as what we're going through right now, whether it's natural or manmade has as minimal a negative impact as possible. And if there ever were an example of just how important that advanced preparedness posture is, it would be our current situation with the novel Corona Fires.
spk_0: 29:12
And as I said at the beginning, you know, we're in the mist of the Corona virus shelter in place, work from home, and I can see companies small and large, going back and revising or adding to their disaster recovery business continuity plan, especially around the AP area, because there lots of companies that were abruptly moved their AP teams toe working from home that just had not prepare for that before. So I think this is a great time to talk about the miss framework so that as they do go back or as they're still working from home, they can start looking at applying this framework and then also, when they go back, they can are putting those things into place.
spk_1: 29:57
So when we're thinking about what policies and protocols to put in place before the disaster strikes, you asked earlier like, how can businesses protect themselves now that their employees were working from home so again, rolling back time as if this is a perfect scenario? So some of the policies that they should put in place are policies like Bring your own device. Um, they need to establish what devices can be used, how they will be used, what the company will do with the device. What the employees expected to d'oh. There should also be acceptable use policies in place so that employees understand what's acceptable on the company network and what isn't. We mentioned the disaster recovery and business continuity plans. Those are critical, um, but included in a disaster recovery in business continuity plan has to be, ah, system for backing up the data, backing up and making sure that the data that is backed up is recoverable. So not only do you back it up consistently, but that you test it and make sure that when you need it, it's gonna be there. And the for the a R A P departments, since they do tend to be one big group, all performing the same function. Some of the things that managers can put in place would be something like separation of duties, um, dual control or mandatory vacations. Because this way, it gives management an opportunity to oversee what's going on to make sure that any anomalies are identified without being intrusive. You don't want to be micromanaging your staff, but it's a it would be really important to have something like that in place if your employees are working from home.
spk_0: 31:38
Yeah, and I also think for those companies where the accounts payable function and or the accounts receivable function because you write a lot of times, it's all the same group where they weren't working from home in the past. They work in 100% within the office. I think now if they have disaster recovery or business continuity plans in place, then they're going to go back and revise those two at least allow those employees toe work one or maybe two days or week or per month from home so that they can test their disaster recovery business continuity plan so they could make sure that happens in the future. The abrupt move for AP and they are going toe work from home will be much smoother than it was this time around,
spk_1: 32:26
right? I think a lot of businesses or I should say, we know a lot of businesses were caught completely off guard and had no structure in place whatsoever to deal with this. And so now they're flying by the seat of their pants, trying to make sure. And of course, the cybercriminals are out there. Yep, And they're they're having a field day. Like you said, with the fishing phishing emails. That's been a problem for years. We all know it right. And even the best people. Barbara Corcoran, you know, one of the best business women in the country, she felt her combat Phil fell to one of those with a $400 million
spk_0: 33:06
for at Theo's 500,000. Yeah, with that 400 left, isn't played it, make it
spk_1: 33:13
sound really disaster.
spk_0: 33:14
She does. She probably had that much, but yeah. Yeah, and I remember seeing that in the news. She lost $400,000 to that. So you know, no one is immune. And I think you made an appointment point that you need to make sure that you include and educate your employees so that they can be good cybersecurity stores. So that education, that training is very important as well as putting in those internal controls because everyone could be distracted. And they certainly are, as we're in this current situation with the Corona virus and shelter in place and we're Oh, yeah. So I know you gave some references for each of the core functions and I'll definitely put those into the show notes. But where can the listeners go to get more information on the NIST cyber security framework?
spk_1: 34:09
Okay, so if they want more information about n'est Ah, it's a very simple website address. It's n'est dot gov that's n I s t dot gov. From there, they can peruse the website, find out what it is they need.
spk_0: 34:27
Yeah, and I will also add a link to the small business information, security, the fundamentals that Ms causes a starter kit. And also the computer security resource is center, which should be a great place to start. So where can they connect directly with you?
spk_1: 34:45
And listeners can connect with me via Lincoln.
spk_0: 34:48
Okay. And I also put that in the show notes, so that would just be able to click and find you. So thanks, Corinne, for giving a great explanation of the NIST framework as well as next steps to begin putting that framework into place.
spk_1: 35:05
Great. Thanks so much for having me.
spk_0: 35:07
Alright. Thanks a lot, Harry. So thanks, everyone. I hope you enjoyed the interview with Corinne Jackman on the 80th episode of the Putting the AP and Happy Podcast, where accounts payable teams are in power to protect the vendor master file from fraud. Don't forget to check the show notes for the links mentioned in the podcast. If you enjoy this episode, consider subscribing and writing a review of my podcast on the platform that you used to listen. Stay happy