Cybersecurity is broken because of the loose approach by business management

By: Russ Hensley, CEO CISSP
Lexington, KY

The current approach to cybersecurity is broken.   In general, the public has embraced the “it won’t happen to me” mentality.  In the end, the safety net is that the IT service provider or in-house IT admin is “taking care of that.”

If you are one of our clients, you have been presented with a set of quotes that we internally call our security stack.  Our stack is built around the National Institutes of Standards and Technology’s Cybersecurity Frameworks (CSF).    The NIST CSF is a derivative of computer security guidance that is woven into healthcare, banking and national security information security policies.    Quite simply, ALL businesses should understand what these frameworks are telling your business to have in place.   If your business is technology driven and if you think that there would be OUTRAGE if the business was off-line for 3 days then you should already have implemented it.

Our job is to work with our clients to provide the technical tools to help prevent intrusion.    With our assistance, our clients must also invest by implementing frameworks and structuring policies.   Security program recommendations for data backup policies, remote worker policies, password policy and security training program for employees are the foundation to protect your business.

Our banking and healthcare clients have lived in overload dealing with these requirements.  However, many businesses in the nation pay little to no attention to the threat.   Often cybersecurity services are viewed as unnecessary overhead UNTIL something happens.    At that point the “overhead” is exorbitant and they realize they do not have insurance that will be needed to pay for the $100,000 or more labor bill to cover recovery, the $30,000 legal bill for their attorney’s, the $80,000 cyber forensics investigators, not to mention the media/pr control and loss of revenue while they are down.     Insurance companies are not shy about letting it be known that they are reducing payouts and increasing premiums because of the lack of implementation and rise in the number of attacks.

Something needs to be done to better prevent and inspect actions that are being taken with incidents like the Colonial Pipeline ransomware attack.   A single attack CAN affect the average American.  “It can’t happen to me” is no longer adequate.

Fixing the approach begins with our legislators starting to understand these issues not from the nerdy intrusion and penetration hacker level, but policies being implemented and educational programs about what it is that is to be dealt with.

Small Business, Large Cybersecurity Risks?

This article excerpt, by Tab Wilkins, originally appeared here:
Is cybersecurity something you need to worry about as a small manufacturer? In 2011, 50 percent of small businesses thought they were too small to be a hacker target, while the Verizon 2013 Data Breach Investigations Report found that 62 percent of breaches impacted smaller organizations. In 2011, the average cost to a small or medium-sized business from a cyber-attack was over $188,000.
What can be done to try and limit such attacks?
Jim Watson, President of California Manufacturing Technology Consulting, Inc., (CMTC), the MEP Center serving southern California suggests several tips:
Limit use and distribution of personal credit cards as payment method for company expenditures
Train employees on security principles and practices and limit employee access to data and information
Find and Install the most recent security software and make sure it is updated and current
Secure wi-fi networks, password protect access to routers and change ALL passwords quarterly
Install security apps on business cell phones
There are several web resources available that can help small businesses understand the cybersecurity environment and develop risk-management strategies.  Five of those include:
The FCC Small Biz Cyber Planner 2.0 helps companies develop a custom cybersecurity plan via an on-line guidance. The custom guide, while not a substitute for consulting with trained security professionals, can help benchmark current practices.
Another valuable website by the FCC includes additional tips for a small business dealing with cybersecurity as well as references to select articles and other websites with important information. Of particular note are 10 Cyber Security Tips for Small Businesses along with potential solution providers to consider. by the National Cyber Security Alliance has current information on trending topics and how to stay safe on-line.  It offers opportunities to get involved in the cybersecurity community and has tips on teaching online safety.
Finally NIST has several tools and workshops to help companies better understand and respond to cybersecurity issues such as the Cybersecurity Framework within the Computer Security Division Computer Security Resource Center.  Planning is underway for a series of small business workshops to help owners and managers understand better risk management strategies.
While the Internet provides significant business advantages and opportunities to all companies of all sizes, every business should think about incorporating practices and tools to guard against cyber-attacks and significant losses.