September 29, 2020
Good morning, everyone!
Patch all the things! Seriously, don't make it easy for the bad guys by not applying security fixes to Citrix, Pulse Secure and F5 VPNs. Cisco has released security fixes for IOS XE, and CISA reports that the critical vulnerabilities in Windows Server are being actively exploited. Patch all the things! |
Last week I was honored to be an "alumni spotlight" at the University of South Alabama as part of the Annual Grace Hopper Celebration and September Women in Technology Month. You can read my story here. |
Prioritizing Cyber Security in Your Organization
This past week I watched the second installment of CISA’s 3rd Annual National Cyber Summit (done virtually this year) and one of the talks described four major trends for small businesses in the current environment. They match up with what we see, so I want to discuss them with you this week, but first a quote (paraphrased) from Ola Sage in her talk "On the Ground Perspective for Small Businesses":
There are many resources available online for helping small businesses achieve a reasonable level of cyber security, but they are only useful if you are prioritizing cyber security within your organization.
Yes, THIS! The Global Cyber Alliance recently released their Cybersecurity Toolkit for Small Business, CISA has their Cyber Essentials Toolkits and NIST maintains its Small Business Cybersecurity Corner, to name just a few. But these online resources are worthless if cyber security is not a priority in your organization. Unless and until ownership/management takes it seriously, no one will.
So, back to the four major trends for small businesses in 2020:
Four Major Trends Impacting the Cyber Security of Small Businesses
(1) The Overnight Move to Working From Home (WFH)
Thanks to COVID-19, many organizations (of all sizes and industries) made a rapid move to WFH, expanding corporate cyber security risk to employees’ home environments. Many organizations weren’t prepared for this (a pandemic wasn’t in their business continuity plan!) and had to make hasty decisions. Many “temporary” measures were put in place and now, 6 months later, it's time to look at long term options. I talked about this in detail in my July 21 newsletter:
- Install a VPN.
- Set up corporate accounts for LogMeIn, GoToMyPC, etc.
- Develop and promulgate an acceptable use policy for WFH.
- Secure employee home networks.
- Require multi-factor authentication everywhere.
- Invest in employee training.
- Have good written policies, and train your employees on the policies.
You may want to read it again, to refresh your memory!
(2) A Massive Shift to Cloud Solutions
The second major trend with a significant impact on cyber security is the move to cloud solutions. This was already a trend before 2020, but again, COVID-19 has caused rapid acceleration. From video conferencing to file sharing and hosted accounting/CRM/ERP, the reality of a remote workforce is pushing many organizations to move more of their data and processes to the cloud. My July 14 newsletter covered a lot of information on the cloud, and I want to include just a little bit of that here:
Before moving everything to the Cloud, take the time to learn about the shared responsibility model and what your organization’s role will be in securing your data online. Tripwire published a good overview worth reading: The Cloud’s Shared Responsibility Model Explained
"While it is true that CSPs like AWS or Microsoft Azure have their own security responsibilities, the truth is that data breaches will continue to occur unless organizations using cloud services collectively fulfill their end of the relationship."
(3) Targeted Phishing Campaigns to SMBs Receiving Disaster Loans
Many people don’t realize that every organization receiving a COVID-19 related disaster loan is on a public list. Yes, this is public information. And of course cyber criminals have pulled these lists and used them to develop targeted phishing schemes. In fact, Barracuda Networks reported that email scams related to COVID-19 surged 667% just during the month of March, and that trend has continued.
Remember, basic defense against phishing attacks involves simple good habits that I discussed in my September 15 newsletter:
- Think before you click.
- Develop your natural skepticism.
- Refer to original sources of information.
Train your employees! They are your last line of defense. If they get an email or text from the bank or the SBA asking them to login for updated information, for example, tell them not to click that link! Open a web browser and go to the bookmark or favorite site for logging into the bank or SBA website. Again more details on this in my earlier newsletter.
(4) The Upcoming Cybersecurity Maturity Model Certification (CMMC) for all Defense Contractors
For more than a year, the Department of Defense (DoD) has been developing a new program for third-party certification of the security of information systems in ALL DoD contractors and subcontractors. This new CMMC requirement will impact approximately 300,000 businesses in the US, many of whom are small contractors or subcontractors lacking even basic cyber hygiene. While it will take 5 years to fully roll out to the entire DoD supply chain, smart organizations are starting to prepare now. Contracts with the CMMC clause will only be awarded to organizations that already have their CMMC in place, and prime contractors are obligated to "flow down" the CMMC requirements to their subcontractors.
The CMMC Accreditation Body, a non-profit organization managing the ecosystem for training assessors and certifying contractors under the CMMC Model, recently began training the first level of CMMC consultants, the Registered Practitioner. I’m pleased to say that I am among the first to successfully complete the training, and I hope to be credentialed soon. I’m starting a new newsletter, “CMMC Update” which will focus only on the topic of the CMMC. If you are interested, please follow this link to subscribe and receive regular updates.
While the CMMC currently applies only to DoD contractors, the GSA has already included references to CMMC in a recent solicitation, and it is widely believed that the CMMC will be expanded to all federal government contractors in the near future. If you have any questions about the CMMC, please contact me! I’m always happy to talk with organizations who have cyber security concerns. Next month I'm doing a work(fromhome)shop you may be interested in: Becoming DFARS Compliant and Preparing for the CMMC.
Circling back around to our original topic today, that quote (paraphrased):
There are many resources available online for helping small businesses achieve a reasonable level of cyber security, but they are only useful if you are prioritizing cyber security within your organization.
Cyber security starts with YOU!
Security Awareness Training Goes Virtual
Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up
a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before!
You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever
you and your employees may be.
Contact me to schedule your employee training sessions. They're fun! ☺
Remember, you can read past editions of this newsletter on our website, along with tons more information under the Resources tab of our new website.
Talk to you again soon!
Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!
TNE. Cybersecurity. Possible.
Speak with an ExpertHave Cyber Security News & Tips delivered weekly to your inbox.
Get Instant AccessContact
The Net Effect, L.L.C.
|
Resources
CMMC Newsletter Whitepapers Articles Videos Interviews |