Towards Cyber Resilience: NIST’s Cybersecurity Framework for Ransomware Risk Management

4 min read


The number of ransomware attacks on organizations around the globe is growing at an exponential rate with no signs of slowing down. According to Check Point, ransomware attacks grew by 102% in the first half of 2021 compared to the beginning of 2020.

Cybersecurity Ventures expects ransomware to attack a business, consumer, or device every 2 seconds by 2031, up from every 11 seconds this year, and estimates ransomware damages to cost the world $265 billion by 2031. To operate in this precarious digital landscape, organizations today must go the extra mile to ensure that their cyber defense mechanism is robust and effective.

In the wake of the significant surge in ransomware attacks, the National Institute of Standards and Technology (NIST) has published a new draft on Cybersecurity Framework Profile for Ransomware Risk Management that sets out its guidance on how organizations can prevent, respond to, and recover from ransomware attacks.

The document details basic preventive steps to protect against the ransomware threat, including using antivirus at all times, keeping computers fully patched, continuous monitoring, segmenting internal networks, educating employees about social engineering, assigning and managing credential authorization, and many more.

The Five Cybersecurity Framework Functions

NIST has classified Cybersecurity Framework Functions into five categories: Identify, Protect, Detect, Respond, and Recover, and has suggested key measures under each of these functions to protect against ransomware threats.

Identify - This is the first step and the foundation for the rest of the framework. It requires developing an organization-wide understanding of systems, people, assets, data, and capabilities, and the associated cybersecurity risks. Some of the key suggestions made by NIST under this head include:

  • Creating, reviewing, and maintaining an inventory of all organizational data, personnel, devices, systems, and facilities
  • Prioritizing organizational resources based on their classification, criticality, and business value
  • Establishing cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders
  • Cataloging and mapping internal and external communications and data flows
  • Developing a comprehensive communication strategy that details the action plan in the event of an attack
  • Effectively managing legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations
  • Establishing and managing risk management processes agreed to by organizational stakeholders
  • Conducting response and recovery planning and testing with suppliers and third-party providers

Protect – This function is critical to limit or contain the impact of a potential cybersecurity event and involves implementing appropriate safeguards to ensure the delivery of critical services. Some of the key measures include:

  • Documenting and managing identities and credentials for authorized devices, users, and processes
  • Managing remote access to maintain the integrity of systems and data files
  • Effectively managing access permissions and authorizations, incorporating the principles of least privilege and separation of duties
  • Providing cybersecurity awareness education and training to employees
  • Managing information and data in a manner consistent with the organization’s risk strategy

Detect – This function requires the implementation of appropriate activities to identify the occurrence of a cybersecurity event and enables timely discovery of cybersecurity events. Some of the key suggestions include:

  • Detecting anomalous activity and understanding the potential impact of events
  • Continuous monitoring of information systems and assets
  • Maintaining and testing detection processes and procedures to ensure awareness of anomalous events

Respond –Once a cybersecurity incident is detected, the Respond Function is important to take appropriate action and measures to contain the impact. NIST recommends:

  • Executing and maintaining response processes and procedures to ensure a response to detected cybersecurity incidents
  • Coordinating response activities with internal and external stakeholders
  • Conducting analysis to ensure effective response and support recovery activities.
  • Performing activities to prevent the expansion of an event, mitigate its effects, and resolve the incident
  • Continuously improving organizational response activities by incorporating lessons learned from current and previous detection/response activities

Recover – This involves implementing appropriate activities to maintain plans to restore any capabilities or services that were impacted in a cybersecurity incident and helps an organization’s timely recovery to normal operations. Key measures include:

  • Executing and maintaining recovery processes and procedures to ensure restoration of systems or assets affected by cybersecurity incidents
  • Improving recovery planning and processes by incorporating lessons learned into future activities
  • Coordinating restoration activities with internal and external parties

How MetricStream Can Help

MetricStream welcomes the ransomware guidance from NIST. Such practical frameworks can considerably help CISOs and security teams to develop an effective cybersecurity strategy from the ground up and evaluate their existing strategy for any gaps or loopholes.

The MetricStream IT and Cyber Risk and Compliance solution is aligned to the capabilities detailed in the NIST guidance. It helps organizations to proactively anticipate and minimize IT and cyber risks, threats, vulnerabilities, and multiple IT compliance requirements. The solution cuts across enterprise siloes by facilitating harmonization between various functions and aggregating information and providing a 360-degree, real-time view of IT risk, compliance, policy management, and IT vendor posture. It also enables enterprises to execute and manage an effective business continuity and disaster recovery program. To request a personalized demo, click here.

Pat McParland

Patricia McParland AVP – Marketing

Pat McParland is AVP of Product Marketing at MetricStream. She is responsible for creating product messaging, product go-to-market plans, and analyzing market trends for MetricStream's cyber compliance and third party risk product lines. Pat has more than 25 years of financial data and technology marketing experience at Fortune 1000 brands as well as startups and has led product and marketing teams at Dow Jones and Dun & Bradstreet. She has a BA from the College of William and Mary and lives in Summit, New Jersey.