In the beginning of 2023, the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) released an updated version of the Cybersecurity Performance Goals (CPGs)—a set of practices that businesses and critical infrastructure owners can take to protect themselves against hackers.
These goals, while not currently mandatory, are still crucial in the face of escalating cyberthreats, which outpace most businesses’ ability to defend themselves. Managing risk and aligning with the CPGs at your organization has to be a company-wide initiative that starts at the top.
The Importance of CPG Implementation
Over 2,200 cyberattacks happen each day; that’s one attack every 39 seconds. Yet, only 38% of organizations feel as though they’re prepared to handle an advanced cyberattack.
These statistics reveal how the majority of businesses are unprepared to deal with modern threats. The exponential rise in attacks not only jeopardizes sensitive data but also poses significant financial and reputational risks to breached businesses.
The underlying hope of the CPGs is that they’ll spur business leaders into decisive actions to fortify their company’s cybersecurity by being clear, thorough, prescriptive and pragmatic.
Cybersecurity Risk Management Issues
Many business leaders don’t prioritize investing in cybersecurity and lump it into their already small IT budgets. But cybersecurity isn’t an IT problem; the standard IT operations employee doesn’t have the skills to provide the protection a company needs. Having cybersecurity specialists, or outsourcing from a managed service provider, is the best way to ensure your business’ security will be protected well enough to prevent hackers from wreaking havoc.
Companies that don’t focus on cybersecurity risk getting hacked at an exponentially higher rate than those that do. When companies are hacked, insurance companies want to restore the business’ operations as fast as possible to limit the amount of money they have to pay in a claim. And since most cybercriminals are motivated by money, the fastest way to resume operations is by paying the ransom.
By giving the hackers what they want, the vicious cycle of cybercrime continues and escalates. The best way to reduce this cycle is by investing in the proper people, processes and technology. While effective tools can stop threats, monitoring allows a company to detect and respond to incidents that do occur.
How CPGs Compare to Other Security Frameworks
CISA originally published the first CPG report in October 2022. The introduction of CPGs gave business leaders more structure and a roadmap to follow.
After receiving feedback requesting a more streamlined alignment with the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) functions, the agency undertook a comprehensive update and reorganization of the CPGs.
The CPGs—which today include the outcome, risk addressed, scope and recommended action of each goal—are now aligned with those CSF functions. But the CSF tends to be more descriptive when compared to the prescriptive CPGs.
Additionally, CISA updated smaller components within the framework, including the incorporation of phishing-resistant multi-factor authentication (MFA) into the updated MFA goal and the addition of a goal to aid in the recovery planning capabilities of organizations.
Let’s take a look at some of the goals your business should work toward, divided according to the NIST CSF:
- Identify: Taking asset inventory, clarifying organizational and operational technology (OT) cybersecurity leadership, improving IT and OT cybersecurity relationships, mitigating known vulnerabilities, third-party validation of cybersecurity control effectiveness, supply chain incident reporting and vulnerability disclosure and outlining vendor/supplier cybersecurity requirements
- Protect: Password and credential protections, separating user and privileged accounts, network segmentation, detection of unsuccessful login attempts, basic and OT cybersecurity training, encryption, secure sensitive data, system backups and incident response plans
- Detect: Detecting relevant threats and terrorist tactics, techniques and procedures (TTPs)
- Respond: Incident reporting, vulnerability disclosure and deploying security.txt files
- Recover: Incident planning and preparedness
In the near future, the CSF will update its framework by adding a sixth function: govern. This new element aims to guide companies in understanding how to achieve the outcomes of the other five elements with organizational structure and enforcement. As for the CPGs, the impact of this addition is not yet known.
Impact, along with our cybersecurity partner DOT Security, has aligned our services with the Center for Internet Security’s CIS Critical Security Controls (CIS Controls), which provide a better way for us to measure a business’ cyber maturity and lay out a plan to consistently improve—which is a never-ending journey, not a destination.
CIS Controls are a simplified set of best practices used by thousands of cybersecurity professionals worldwide and allow businesses to:
- Simplify their approach to protecting against threats: CIS Controls provide a streamlined cybersecurity strategy to safeguard an organization.
- Comply with industry regulations: The tools and best practices can help organizations meet compliance requirements for cybersecurity policy, regulatory and legal frameworks.
- Accomplish essential cyber hygiene: The majority of effective cyberattacks take advantage of “poor cyber hygiene,” such as neglected software, inadequate configuration management and a reliance on outdated solutions. The CIS Controls help businesses “clean up” their systems.
- Turn information into action: CIS Controls acknowledge that modern systems and software are constantly changing, leveraging this awareness to facilitate the ongoing evolution of assets in accordance with the security objectives of your business.
- Follow the law: Numerous states mandate that executive branch agencies and other governmental entities adhere to cybersecurity best practices. Several of these explicitly cite the utilization of CIS Controls as a means to showcase a “reasonable” standard of security.
The threat of cyberattacks evolves faster than most businesses can keep up with, meaning the cybersecurity industry must continuously evolve to protect against threats.
Looking Into the Future
This is only the beginning of cybersecurity oversight. Although they’re currently voluntary, the CPGs may eventually become industry regulations that could result in fines and other sanctions for companies that ignore the proper cybersecurity procedures.
Companies will also continue to be encouraged to prioritize cybersecurity, as it will become increasingly difficult for businesses to obtain cyber insurance and loans from financial institutions without them. The absence of evidence demonstrating compliance with minimum security standards may result in the loss of customers.
The current scope of the CPGs encompasses cybersecurity measures across various sectors. However, CISA is actively collaborating with Sector Risk Management Agencies to initiate category-specific guidelines for each critical infrastructure division.
These are expected to either be customized toward specific sectors or provide resources designed to help implement existing CPGs for each category. The creation of these goals will enhance targeted protective measures, addressing the unique needs of each sector.
A highly effective strategy in confronting cyber risks is educating businesses on the topic of cybersecurity risk management. Notably, at Impact, we’ve observed both prospects and clients actively increasing their knowledge of cybersecurity, resulting in more questions and interest compared to the year before. I don’t believe it’s enough, but the more it’s talked about, the better off we’ll all be.
Although the CPG suggestions alone aren’t enough to prevent cyberattacks, engaging in ongoing discussions about cybersecurity and devising strategies to manage risks stands out as the most effective means to keep your business as safe as possible.