T he world has experienced exponential growth of cyber threats since this pandemic started. Work from home requirements have added fuel to that fire as many organisations struggle to provide the same type of IT security protection to their assets and staff who are now working remotely.

According to the IBM Security Report 2021 X-Force Threat Intelligence Index, “Ransomware was the most popular attack method in 2020.” The methods by which this ransomware is getting into your computers are getting much more complicated, and the tools and processes that businesses currently employ are just not enough. Sadly, many organisations in the Caribbean do not have the budget to have their own IT security teams, and these organisations find it very difficult to implement cybersecurity programmes to improve their security posture. This is where selecting a cybersecurity framework can help.

What is a cybersecurity framework?

A cybersecurity framework is a plan consisting of a set of guidelines, processes and steps for keeping all your data and systems safe. Perhaps hundreds of cybersecurity frameworks exist globally. The more comprehensive frameworks generally cover personnel, networking systems, business computers, portable equipment, operating systems, software, services, business processes, work tasks, communications, data transit, and storage; some designed for specific industries, and others for general business use. Many of these frameworks have been created based on either government directives or regulatory requirements across the world.

Popular frameworks in the USA include the National Institute of Standards and Technology (NIST Sp 800-53), Control Objectives for Information and Related Technology (COBIT), Payment Card Industry Data Security Standards (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), Centre for International Security (CIS) Top 20 Basic CIS Controls, American Institute of CPAs (AICPA) System and Organisation Controls (SOC). In Europe, we have the International Organisation for Standardisation (ISO) 27000 series.

Choosing a cybersecurity framework

A challenge for many organisations is deciding which framework to implement. If you are in an industry with a specific requirement like the payments industry, it is easier for you. Otherwise, you need to invest the time to research. It is important to note that because these frameworks are voluntary, you can select elements from one and add pieces from another to fit within your organisation’s capabilities and culture. For tTech, we are implementing the CIS20 with features of NIST for very comprehensive coverage. In summary: 1) research the options; 2) determine if your organisation or industry has specific obligations; 3) select the framework and adjust if needs be to your organisation; 4) mix and match if you must to create the best solution for you.

A regional cybersecurity framework?

Local research has shown us that even with these frameworks, too many businesses fail to fully implement the solutions for many reasons, including lack of resources and understanding of the frameworks’ requirements. Maybe it’s time to develop our framework for the region, pulling from what already exists and simplifying our market. Discussions have begun locally, and we will explore the main framework components in future articles.

Christopher Reckord is CEO of managed IT services provider, tTech Limited. Trevor Forrest is founder and CEO of 876 Technology Solutions. Collectively, they have approximately 80 years of experience helping organisations of varying sizes procure and implement information technology solutions and transform digitally.