Smaller Organizations Often Do Not Think They Have Issues
When we first started A&P we were amazed at the number of smaller organizations that did
not understand the high cyber risks they were facing. In some instances, all they had to do would be to change their policies and procedures to lower the risk. Something that does not cost them anything but a little time. Yet, they were absolutely adamant that nothing would ever happen to them, and they did not need to make any changes. Even in instances where the change would not cost much, and they would be losing a big contract if they did not make the change, the organizations I was talking to still refused to make the changes. I would hear things like "I'm too small" or "no one knows I exist so they will not bother me."
One of the reasons we opened A&P was to help share our extensive knowledge of cybersecurity with local small businesses. We even offered free classes and low-cost cybersecurity classes through both our local community college as well as through our local chamber of commerce. All classes were extremely lightly attended, and one had to be canceled for lack of registrants. At the time, we thought it was just something with our local area. We kept looking for new ways to educate smaller businesses.
When NY State implemented cybersecurity legislation for financial companies, we had several organizations reach out to us. The legislation outlined security best practices, including a risk assessment. Excellent things that organizations should be doing anyway. However, the legislation included a loophole. Smaller organizations were exempt. As soon as the organizations realized they were not going to be forced to follow the security best practices, they immediately changed their minds and did not go any further with implementing security best practices.
A few years ago on my quest to learn more about how to help smaller organizations, I had an opportunity to start a doctorate program. In my initial research, I was shocked to find similar stories. Many studies had examined smaller businesses in different local areas all around the globe. Despite a large variety of small business sizes and locations, information security weakness is a shared characteristic (Rohn, Sabari, & Leshem, 2016). For many smaller organizations, it does not seem to matter if there are free and low-cost ways of fixing the issues. It does not matter that there are experts out there willing to help them. There are many potential theories about why many smaller organizations are not taking advantage of resources available to help themselves, but no one knows for sure what causes so many companies to accept such a high-risk level or what it would take to get smaller organizations to change their thinking.
The Department of Defense (DoD) has unclassified but sensitive information that is provided to suppliers in order to complete their contracts. There were too many instances of this information falling into the wrong hands, so the DoD added cybersecurity requirements to their Defense Federal Acquisition Regulation Supplement (DFARS) requirements. The document required all contractors with the sensitive but unclassified information to meet cybersecurity best practices as outlined in the NIST 800-171 document. It does not matter the size of the organization. The information is still compromised if a large prime disclosed it or if a small sub-vendor disclosed it, so the requirements fall equally on everyone involved. Therefore, all organizations with that data have to protect it adequately. Even still, there were issues, so the cybersecurity rules are evolving. Instead of self-assessments, there is starting to be more audits. It is looking like there will be certification levels. Failure to meet security certifications could mean an organization is not eligible to work on certain contracts. It will be interesting to see how things continue to evolve.
The DoD can say that if you want to do business with us, you will comply. However, in general, there is no one worldwide regulation that will force all organizations large and small to have proper cybersecurity postures. An attacker in Russia can attack someone in the United States, and the attacker and the victim are in two completely different jurisdictions. What occurred may not even be a crime in Russia where the attack came from, but in the United States, what occurs may be a felony. Even the United States in general does not have a comprehensive cybersecurity regulation. Much regulation is based on individual industries and done by individual states. If the only way to improve cybersecurity is to force compliance, it may be challenging to accomplish the necessary regulatory changes across so many jurisdictions.
For CS875, a blog post about the future and innovation was required. It is known many cybersecurity issues need solving. Perhaps technological advances will come to the rescue. It is fun to imagine a world in which the data will be assigned a security level, and no matter which organizations it transfers between, the security controls based on the level of data are automatically implemented for it. Perhaps with machine learning, and artificial intelligence, someday it will not matter if organizations themselves do not choose to implement cybersecurity best practices. Perhaps with the advance of technology, the technology can complete the appropriate protection for the organizations automatically. However, until that time, A&P Technologies is here to help you make sense of what you need to do for cybersecurity.
Rohn, E., Sabari, G., & Leshem, G. (2016). Explaining Small Business InfoSec Posture Using Social Theories. Information and Computer Security, 24(5), 534–556. https://doi.org/10.1108/ICS-09-2015-0041