3 minute read
cybersecurity cybersecurity
In this issue of Springs we tackle the often talked about subject of cybersecurity. Gartner describes it this way: “Cybersecurity is the practice of deploying people, policies, processes and technologies to protect organizations, their critical systems, and sensitive information from digital attacks.”
In the 2022 Gartner Board of Directors Survey, 88% of board members classified cybersecurity as a business risk; just 12% called it a technology risk. Still, a 2021 survey showed that the chief information officer (CIO), the chief information security officer (CISO) or their equivalent were held accountable for cybersecurity at 85% of organizations.
“Organizations have become far more vulnerable to cyberthreats because digital information and technology are now so heavily integrated into day-to-day work,” reports Gartner. “But the attacks themselves, which target both information and critical infrastructure, are also becoming far more sophisticated.”
By Gary McCoy
Countering Cyber Fraud with Suspicion
In the Fall 2021 issue of Springs, we published an article by Phillip M. Perry, “Cybersecurity: How to Counter Fraud in a Digital World.”
As Perry pointed out, large companies are not the only ones at risk from cybersecurity threats. “Criminals often target smaller businesses because their protections are typically not as strong,” said Mary S. Schaeffer, AP Now’s president. “They are likely to have older, unsafe technology and lack the security personnel to keep software updated.”
Perry wrote that fueling the rise in cyber fraud is the growing digitalization of business transactions, a long-term trend given further impetus by a greater reliance on electronic communications during the COVID-19 pandemic.
“Flaws in firewalls and Virtual Private Networks (VPNs), as well as in videoconferencing systems, have exposed more businesses to incursions,” said Robert M. Travisano, an attorney in the litigation practice of Epstein Becker Green. The rapid expansion of devices on the typical employer’s computer network has given cyber actors still more opportunities.
I encourage readers to reread Perry’s entire article (an electronic copy is archived on our website) for helpful advice on electronic payments and how to protect accounts. He also delves into the subject of damaging malware and cyber insurance.
Perry wrote that even the best insurance policy is no substitute for operating procedures that help stop cyber theft in its tracks. Employees from the CEO on down need to be trained on the most effective responses to thieves who are skilled at social engineering. “The one piece of advice I have is to be suspicious,” says Schaeffer. “Make sure everyone knows that if something looks a little odd, or if someone asks for something out of the ordinary, speak up. It’s better to go overboard on security than to go the other way.”
Helping Those Who Serve the Defense Industry
Spring manufacturers selling to the Department of Defense (DoD) are facing a critical deadline. By October 2025 they will need to ensure their security procedures comply with the requirements of a uniform set of standards designed to protect national security.
Perry presents a different cybersecurity article in this issue, “The Road to CMMC Compliance.” It is a sobering look at the challenge springmakers face to comply with the Cybersecurity Maturity Model Certification (CMMC), “the mandated policies and procedures that govern practices for restricting access to sensitive data on a need-to-know basis, and protecting such data from both accidental loss and transmission into the wrong hands through cyberattacks.”
Perry quotes Neil Jones, director of cybersecurity evangelism at Engyte, who points out that CMMC compliance is a must-have, not a nice-to-have. “Every DoD contractor or sub-contractor, regardless of size, will need to comply.” Read Perry’s entire article on page 28.
NESMA board member Ted Lucas, CPA, and his co-worker, Jason Kane, CPA, CISA, of Marcum LLP, contribute with the article, “Software for Federal Agencies: New Orders and Their Downstream Impact.”
This article looks at the Biden Administration’s Executive Order 14028, issued in May 2021, which covered “Improving the Nation’s Cybersecurity.”
Some of the directives in the order included implementing stronger security standards in the federal government, creating a cyber safety review board, developing a standard playbook to respond to cyber incidents, and improving software supply chain security.
Lucas and Kane help guide readers to what is needed to ensure that software is compliant with the new directive, NIST 800-218. Deadlines loom by the end of this year.
Noting a bit of good news, Lucas and Kane say that NIST 800-218 requirements may trickle down into non-federal agency software vendors.
“This should generally be received as positive news for the users of software, including spring manufacturers with proprietary information that should be kept secure. As more software becomes cloud-based and more responsibilities of running the software become the responsibility of the software producer, users and companies can have stronger peace of mind knowing that their data is secure, as assessed against an established framework.”
Read the entire article on page 31.
Be Aware and Get Help
The Cybersecurity and Infrastructure Security Agency (CISA) leads the national effort to understand, manage, and reduce risk to the nation’s cyber and physical infrastructure. CISA is part of the Department of Homeland Security.
Five products in the National Cyber Awareness System offer a variety of information for users with varied technical expertise. Those with more technical interest can read the alerts, analysis reports, current activity, or bulletins. Users looking for more general-interest pieces can read the tips. For more information, visit www.cisa.gov/uscert/securitypublications. n
