US companies now have framework of voluntary cybersecurity standards

October 30, 2013

Last week, companies around the US were given a new set of voluntary standards that, if they choose to adopt them, will help them increase cybersecurity without having to formally adhere to red-tape laden regulations.

The plan was put in place by the National Institute of Standards and Technology (NIST), which said it hopes the framework will encourage companies involved with the country’s critical infrastructure to adopt the standards. These include banks, financial services firms and electric and water utilities.

For years, many of these companies have stated that enforced cybersecurity standards would only get in the way. By making the standards voluntary, NIST says firms will be much more likely to increase their cybersecurity efforts.

The latest release is a revision of a previous document, and many experts say this version is certainly better than the original, but it may not be the end-all-be-all of cyber threats by any measure. One of the biggest concerns is that it could encourage companies to seek out only the most minimal cybersecurity programs.

Still, it appears NIST strived to make the standards more flexible for companies. For example, it eliminated the word “should” from the guidance, giving companies more say in their action plans.

Voluntary standards are better than nothing

The fact that the US is drafting such guidelines is a step forward. Cyber attacks on the country’s water utilities, power companies and banks have risen tremendously over the years, and in some cases have even caused isolated damage to grids and water treatment plants.

The standards focus on helping companies identify network assets and quickly locate security breaches so they can be patched as quickly as possible. The document states that this may be possible by compiling inventories of all software platforms and applications, outlining what is expected of C-suite officials and creating clear IT security policies.

“We want to turn today’s best practices into common practices, and better equip organizations to understand that good cybersecurity risk management is good business,” said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher.

The need for improved cybersecurity and vulnerability management is clear. In one recent survey from MeriTalk, 74 per cent of cybersecurity professionals said they weren’t prepared for an international cyber attack.

Countries around the world will need to look into how to eliminate the risks of cyber attacks, whether this is through voluntary standards or enforced regulations.

Leave a Reply

Your email address will not be published. Required fields are marked *