To own a small business, you’ve got to be at least something of a gambler. As a result, you get comfortable taking chances. Ignoring risks. However, you do not want to roll the dice by waiting on security.
You know all too well that many businesses owe their success to luck as often as labor. That’s not to say that the risks you take aren’t carefully calculated – they are. However, many of you reading this may have risked everything by waiting to take effective cybersecurity measures.
The cybersecurity risks have never been higher than right now — and the government knows it.
It’s why the Cybersecurity and Infrastructure Security Agency (CISA) announced the Shields Up program. Shields Up is designed to protect American businesses from malicious cyber activity surrounding Russia’s invasion of Ukraine. It’s also why the DOJ announced it will fine government contractors and other businesses that fail to follow cybersecurity standards or fail to report cybersecurity incidents.
Waiting on security upgrades until regulatory agencies mandate security can be costly and dangerous for your businesses.
Any company, including contractors and subcontractors, who do business with the government faces a slew of orders to be compliant with various cybersecurity frameworks. This includes NIST 800-171, which outlines the required security standards and practices for non-federal organizations. Likewise, FAR 52.204-21 lays out 15 basic safeguards surrounding data, physical security, and cyber hygiene. Similarly, the Cybersecurity Maturity Model Certification (CMMC) program is a framework designed to protect the defense industrial base.
Playing a Dangerous Game of Cybersecurity Chance
As regulators negotiate, discuss, and finalize, we’ve noticed an alarming trend. Many companies are hitting the “Pause” button.
We get it. Last year’s CMMC town halls highlighted small business concerns. The new policies being proposed put a disproportional burden on smaller companies that might not have the systems, in-house expertise, or budget for the required response.
The industry developed CMMC 2.0 to address those issues. And in many ways, it does. But it also contains a few surprises.
The Reality Check
If you’ve pumped the brakes on investing in more robust cyber security and are waiting to see what the regulations will look like, you’re taking a huge gamble. Here’s the reality.
Attacks won’t wait.
While you spend time waiting on security, your business continues to be at risk for a data hack or ransom.
The business interruption, reputation damage, proprietary information losses, recovery fees, and customer or contract losses are often enough to sink even the most stable businesses. And any cyber insurance policy you’ve got won’t be sufficient. It won’t cover everything.
If hackers return your data after a ransomware attack, your problems may multiply. Corrupted and inaccessible data aren’t much use.
The “final” version will come up too quickly.
When DoD starts using CMMC 2.0 guidelines it will be with just 60 days’ notice.
That’s not enough time for most companies to complete remediation work. Waiting for a final version or official start may cost you contract opportunities. If you’re ready to go sooner, however, you might be able to grab work from others who are not.
While not fully finalized, DoD is planning to offer incentives to organizations that go through the certification process prior to the final rulemaking for CMMC.
Your to-do list has 320 tasks!
The requirement to be compliant with NIST 800-171 cybersecurity framework has 110 controls that require 320 assessment objectives.
For Maturity Level 1 and non-prioritized Maturity Level 2 contracts, senior leadership will self-attest to their company’s compliance each year.
But that’s not a free pass. The DOJ has already used the False Claims Act to go after companies who self-attest, have a security incident, and are found, through an investigation, not compliant.
Documentation did not go away.
Many companies believed that CMMC 2.0 would do away with documentation: It. Did. Not.
Companies must document all of the 320 assessment objectives. It’s a significant amount of work — and few companies can do it all internally. Another reason that waiting on security measures will backfire when the a time crunch comes.
The ROI Dilemma
We acknowledge that the cost of cybersecurity seems daunting.
Many companies haven’t invested in an enterprise-level solution or even budgeted for ongoing cybersecurity work. But they need to.
Cybersecurity has become a normalized expense for business operations, like paying payroll taxes or carrying insurance. If you’re struggling to see the ROI of cybersecurity consider three things.
1. Small businesses are the ideal target for ransomware hackers.
Cybercriminals know you have fewer resources and staff to prepare for, defend against, and recover from attacks. Attacks have doubled in the last year because they are incredibly lucrative and you’re a great testbed to prepare for larger attacks.
2. The average cost for a data breach in a small company is $108,000.
But money isn’t the only thing at stake. The disruption, recovery, and unanticipated costs — plus customer frustration — have been shown to take a far greater financial toll on companies. This can total as much as $3 million per incident for companies with fewer than 500 employees.
3. Cybersecurity can be a competitive advantage.
While others delay, you can cash in on customer and partner trust built on the strength of your cybersecurity program.
There is an easy way to begin.
A slow roll is still a step in the right direction. We advise small businesses to do several things right now to get things started. Most of them won’t cost you a dime!
Talk real numbers.
A realistic estimate is the first step toward developing a compliant security plan.
A good cybersecurity services company will provide a basic assessment and estimate free of charge. A great cybersecurity services company will further your education, explaining the standards you will need to follow, where you stand now, and the scope of a solution.
Real numbers allow you to plan ahead and budget for security. Very often, we surprise small businesses when they learn that cybersecurity compliance doesn’t cost as much as they expected.
Understand your attack surface.
The physical front door isn’t the only way people are entering your business.
All of your web apps, portals, and bill pay systems are entrance points too. Identifying all of your assets is the first step in securing them.
Now is the time to conduct a thorough audit of your digital ecosystem to understand your attack surface and plan for ongoing monitoring.
Revisit your incident response plan…and practice it!
In case of a security incident, every employee with network access should understand the plan.
Above all, your Incident Response Team, encompassing leadership, IT, HR, legal, and communications, should also practice their first steps. Similarly, it may be helpful to have written procedures and a printed phone tree that clearly spells out whom to contact and under what circumstances.
Back up your data.
Put together an ironclad schedule for backing up all data. Likewise, it’s valuable to test the procedures for restoring information, too, in case you are hit with ransomware or another cyberattack.
A good look at cybersecurity realities can help small business owners and leaders change the game. Therefore, there’s no need to gamble with your company’s future and reputation.
Cybersecurity-building steps often start with a slow roll and pick-up speed as companies understand more about their requirements and the business benefits of a robust security stance.
Derek Kernus is the director of cybersecurity operations at DTS and holds CISSP, CCSP and CMMC RP certifications. DTS provides tailored, scalable cyber solutions for small- and medium-sized organizations leveraging top resources and the expertise of talented individuals with a passion for excellence to help protect our clients’ people and data.
