In light of the alarming rise in antisemitism worldwide, Jewish communities face heightened risks of online harassment, doxxing, and targeting that can compromise their safety both online and offline. Ensuring robust protection of Jewish identities, sensitive information, and physical security requires adopting a comprehensive and proactive risk-based approach. Jewish communities and organizations can leverage the National Institute of Standards and Technology (NIST) 800-37 framework to enhance their cybersecurity and privacy posture.

​

The Risk-Based Approach to Cybersecurity

A risk-based approach ensures that organizations focus their cybersecurity efforts on areas where threats are most likely to occur or have the most damaging impact. This method is particularly crucial for Jewish communities, which face unique and escalating threats driven by antisemitism. By systematically identifying, assessing, and responding to risks, individuals, community leaders, and institutions can better safeguard personal identities, community infrastructure, and physical security against both cyber and physical attacks.

​

NIST 800-37: The Framework for Managing Risks

The NIST Special Publication 800-37 outlines a structured process for managing cybersecurity risks, which includes seven key steps. These steps can guide Jewish communities and their affiliated organizations in identifying vulnerabilities and implementing strategies to defend against potential cyber and physical threats. Below is a detailed plan based on the NIST 800-37 framework, tailored to address the unique challenges faced by Jewish communities.

​

Step 1: Prepare

The first step is to establish an organizational culture that prioritizes security and privacy. For individuals, it is the awareness and decision to be proactive! Preparation involves defining the mission and goals for cybersecurity protection, especially in the context of the Jewish community. This stage includes:

• Identifying community assets (e.g., member information, event databases, leadership communications)

• Mapping out key threats such as doxxing, blacklisting, targeted attacks, and breaches aimed at Jewish organizations

• Establishing risk management governance with dedicated teams or roles responsible for overseeing security policies, incident responses, and member education

Preparedness ensures that Jewish institutions understand the full scope of risks they face and are equipped to defend against them.

​

Step 2: Categorize Information Systems

This step involves classifying the types of data and information systems that need protection. Jewish organizations, particularly those managing sensitive personal information (e.g., religious data, addresses, communications), must categorize these systems based on the severity of potential harm if compromised.

​

For example:

• High-impact systems: Community databases with sensitive personal identities and event locations

• Moderate-impact systems: Websites and social media accounts that could be used to disseminate antisemitic content

• Low-impact systems: General communication platforms with lesser risk but still valuable for overall operational integrity

Proper categorization ensures that protective measures align with the sensitivity of the data involved.

​

Step 3: Select Security Controls

Once data has been categorized, selecting appropriate security controls is crucial. NIST provides a catalog of controls, which can be tailored to the specific risks faced by Jewish communities. These controls include:

• Access control measures: Strong authentication, role-based access to sensitive systems

• Encryption protocols: Protecting member information and communications from unauthorized access

• Incident response planning: Establishing protocols for dealing with antisemitic cyberattacks or data breaches, including coordinated responses with law enforcement or cybersecurity firms

Effective security controls mitigate the risk of exposure and ensure preparedness against evolving threats.

​

Step 4: Implement Security Controls

After selecting the appropriate controls, the next step is to implement them throughout the organization. This requires technical and policy-based efforts:

• Installing firewalls and monitoring systems to detect unusual activity or attempted breaches

• Enforcing encryption for sensitive communications between community members and leadership

• Educating community members about secure online behaviors, such as avoiding phishing attacks or using strong passwords

The implementation phase turns theoretical plans into practical defenses, making it harder for attackers to exploit vulnerabilities.

​

Step 5: Assess Security Controls

Regular assessments of implemented security controls are critical to ensuring they remain effective. Jewish organizations must conduct:

• Vulnerability scans to identify new risks, such as updated tactics from antisemitic groups

• Penetration testing to simulate attacks and evaluate whether current defenses can withstand real threats

• Audit trails and logs to ensure that any unauthorized attempts to access sensitive information are promptly identified

Assessments provide feedback on the efficacy of the security measures and identify areas for improvement.

​

Step 6: Authorize Information Systems

Before systems can be fully operational, they must be authorized for use. This step requires leaders or governing bodies of Jewish organizations to formally assess the security measures and accept the risks involved. Only after a thorough review should these systems be launched into full use.

​

By authorizing systems, organizations acknowledge their responsibility to maintain robust security and continually monitor potential risks.

​

Step 7: Monitor Security Controls

The final step involves ongoing monitoring of the organization's security posture. Jewish communities need to:

• Track threat intelligence: Stay aware of new antisemitic tactics and trends in cyberattacks targeting Jewish communities globally

• Review incident reports: Analyze past events to improve response times and mitigate future risks

• Update security protocols as needed, adapting to the evolving landscape of threats

 

Continuous monitoring ensures that the risk-based approach remains dynamic, with protections adjusted according to emerging threats.

 

Adopting a risk-based approach rooted in the NIST 800-37 framework is essential for Jewish communities looking to safeguard themselves against rising antisemitism. By following this structured seven-step process, Jewish organizations can systematically identify risks, implement targeted security controls, and create an environment of safety and privacy for their members. This proactive approach helps to protect both digital identities and physical security, ensuring that Jewish communities can thrive without fear of targeting or harassment.