The cyber threat landscape is ever changing, and businesses can’t afford for their cybersecurity posture to lag behind. According to cyber experts, there are a few key tips that can help organizations of any size improve their cyber hygiene and better protect themselves against growing threats.
Implement National Cybersecurity Standards
The National Institute of Standards and Technology sets frameworks, standards and guidelines for a range of cybersecurity-related efforts. One such standard, NIST SP 800-171, was designed to help government contractors safeguard the sensitive information on their IT networks and systems.
But Kelley Kiernan, professor of cybersecurity and information protection at the DOD’s Defense Acquisition University, said the standard is not just for defense contractors.
“If you have any kind of intellectual property, any kind of novel technology or business system, what have you, you would implement NIST SP 800-171 as a national standard,” Kiernan said at the Potomac Officers Club’s 2024 Cyber Summit. “There’s a lot of people who think they only need to go there if you’re trying to do business with the DOD, when in actual fact it’s the federal standard that’s going to be adopted globally to protect intellectual property.”
“It’s not something you do because you’re going to have a DOD contract. It’s something you do because you want to protect your intellectual property, which is the lifeblood of your U.S. small business,” Kiernan added.
Designate or Hire a Dedicated Cyber Leader
When small businesses implement cyber standards like NIST SP 800-171, they can run into hurdles if they don’t have a dedicated cyber professional leading the implementation. According to Kiernan, 80 percent of small businesses in the U.S. have fewer than 20 employees, which means they often don’t have a dedicated IT professional.
“Just like you would only let a certified accountant do your accounting, you’re going to have to let a certified cyber person do your cyber if you have the job of protecting controlled unclassified information for the DOD or if you’re wanting to protect your own intellectual property,” said Kiernan.
But some small businesses may not have the resources to dedicate to hiring a cybersecurity professional, especially in the midst of ongoing global talent shortages for cyber roles. Karen Evans, managing director of the Cyber Readiness Institute, suggested that while organizations do need a dedicated cyber person, that person may not need to necessarily be a cyber professional. Instead, that role should be taken on by someone who deeply understands their organization’s mission and the risks they may face in executing that mission.
“The person in the organization has to be that cyber person — we’ll call them cyber leaders — but they don’t necessarily have to be a cyber professional. They have to understand what the risk is for their company as they’re using the technology,” said Evans.
Set Foundational Cyber Policies
Yasmine Abdillahi, executive director for cybersecurity governance, risk and compliance at Comcast Business, underscored the importance of having good robust frameworks and policies in place to guide cybersecurity efforts.
“There is something very important around policies,” said Abdillahi. “Right now we cannot afford not having good policies. They don’t need to be boring, they don’t need to be long, but they are very important.”
Abdillahi said policies are incredibly important especially as organizations work toward compliance with requirements like the DOD’s Cybersecurity Maturity Model Certification, known as CMMC.
Leverage Government Cyber Programs
There’s a multitude of government-supported cyber programs that companies should take advantage of to strengthen their cybersecurity. One such program is the Department of Defense’s Project Spectrum, which offers free classes and guidance for businesses.
According to Derrick Davis, director for industrial cyber security for the Office of Small Business Programs, Project Spectrum offers a range of information, training and education around basic cybersecurity, cyber hygiene, cloud security threats, identity and access management, compliance and more.
“Within that program, we have cyber advisors,” Davis said. “These cyber advisors will connect with the small businesses and advise you on questions that you have pertaining to cybersecurity.”
Davis’ fellow panelists also highlighted free cybersecurity programs through the Defense Acquisition University and the Cyber Readiness Institute.