On May 11, 2017, President Trump issued an Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure designed to bolster security associated with the U.S. federal government’s information technology.
Abdul Hammad, powersolution.com’s Chief Information Security Officer (CISO) and a member of the U.S. Secret Service New York Electronic Crimes Task Force, responded to the announcement saying “the executive order cites “antiquated” and “difficult-to-defend IT”. It goes on to discuss the need to address unmitigated vulnerabilities that create high risk, incorporating expertise in various areas including IT, security, budgeting, law, privacy, and human resources. We find these issues and needs to be pervasive throughout the small/medium business (SMB) community as well.”
Two key areas of focus in the executive order are networks and infrastructure, calling for accountability for managing cybersecurity risks at the executive level. Similarly, it is important for SMB owners to be actively involved in budgeting for and implementing cybersecurity risk mitigation measures.
According to the executive order, cybersecurity risk management is comprised of activities that protect IT and data from unauthorized access and other cyber threats, maintain awareness of cyber threats, and detect anomalies and incidents adversely affecting IT and data. It also includes activities that mitigate the impact of and recover from cyber incidents. Requirements for effective risk management include planning, maintenance, improvements, and modernization on a regular basis.
Some of the vulnerabilities discussed in the executive order that also commonly apply to SMBs include using hardware or operating systems that are beyond the vendor’s support lifecycle, failing to implement a vendor’s security patch, or neglecting to execute security-specific configuration guidance.
Federal government agencies will be utilizing a cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). The output from the Framework methodology will include documentation of vulnerabilities, considerations related to risks and budget, as well as action plans. Similarly, SMBs properly assessing, managing, and documenting their security posture should utilize qualified third parties that follow NIST and other industry standard methodologies such as SANS 20 Security Controls, published by the SANS Institute.
The executive branch’s policy is to build and maintain a modern and secure IT architecture, while sharing email, Cloud, and cybersecurity services. Similarly, SMBs are in a position to leverage available industry resources, including shared applications and services, to cost-effectively maintain a secure IT environment.
Part of the executive order includes ongoing efforts to educate and train the public and private sector workforce through cybersecurity-related education. Clearly, it is also the responsibility of SMB owners to make sure their employees receive ongoing periodic cybersecurity training.
Two days after the executive order, a massive ransomware cyberattack named “WannaCry” targeted enterprises and governments across nearly 100 countries worldwide. (see our “WannaCry” 9 tips to apply now). The ransomware seized control of computers, demanding victims pay a $300 or more in ransom to ameliorate the infection. This attack was described as one of the broadest and most damaging cyberattacks in history, taking advantage of a vulnerability in the Microsoft Windows operating system. At risk were computers and networks that had not been updating with a corrective security patch distributed by Microsoft two months earlier (March 2017).
A key takeaway from the federal government’s executive order and the “WannaCry” cyberattacks is to recognize that SMB IT security is just as critical as any size organization. It is imperative that SMBs protect and secure their data and ensure business continuity proactively through planning, modern technology, operational controls, and workforce training.