New Government Cybersecurity Initiatives: Challenge to Improve or Small Business Barriers to Entry?
Changes in the cyber landscape of the last two years have been driven by a number of federal cybersecurity initiatives, including legislative changes such as the Cybersecurity Information Sharing Act of 2015 (CISA) and regulatory requirements like DFARS 252.204-7012. The DFARS clause, which invokes NIST Special Publication (SP) 800-171, implies that some businesses may risk losing their government contracts if they are not compliant by December 2017.
The CISA legislation and the new DFARS requirements are designed to guarantee assurance from businesses that their information will be private and free of liability. According to the latest reports about 50 private companies and 24 federal state agencies are currently enrolled in the CISA program at the DHS National Coordination Center.
Like other cybersecurity initiatives, there are costs to achieve compliance. Some small businesses struggle with the lengthy process of documenting processes and the costs of staying up-to-date about new program changes. Each new compliance requirement placed upon small and medium-sized businesses (SMBs) drives up their operational costs. As noted in the May 1, 2016 article in Security Magazine, these hidden costs have a number of direct business implications:
- The market conditions may restrict growth
- The organization may not be sufficiently prepared to handle the cyber threats
- Ability to attract top talent may restrict operational performance
Compliance, if not implemented “smartly,” can impact revenue and future business opportunities. So what can small businesses do stay ahead of changing requirements?
- Leverage experts. Similar to the practice of hiring legal counsel or accounting help, cybersecurity hygiene and compliance requires C-level executives to maintain a deep understanding of the changing regulatory environment, new data protection obligations, etc. Having access to cloud, risk, IoT, and compliance experts can provide the C-suite with an outside voice to demonstrate due diligence. Remember, investing in proactive security is always less expensive than remediating exploits. Using third-party support can augment existing resources without the additional overhead of full time employment – upping the talent level while reducing the fixed costs.
- Build a digital foundation. For many SMBs, keeping an eye on today’s revenue and requirements distracts the leadership from transitioning towards a digital business – which is no longer optional. Both government and industry are already actively seeking Cloud and IoT capabilities to reduce future costs through automation and digitalization, while monetizing new revenue streams. More and more, private contractors are expected to understand and embrace these technologies and approaches and offer up the corresponding cost savings. Security and data protection are foundational components of digital transformation and (as previously noted) companies should leverage experts to gain value and speed in building a digital foundation.
- Develop Mature Processes and Expectations for Your Organization: In the event you find yourself a victim of a cyber attack or fail to meet a new compliance requirement, you will be faced with having to communicate your cybersecurity due diligence to customers, regulators, auditors, employees, and possibly the press. Executive teams need to consider how best to develop a corporate emotional maturity and acknowledge they need to place an emphasis on crisis readiness. CEOs need to augment their incident response teams with crisis communications experts. Coordinating technical and cyber communications responses with a deep understanding of data protection rules, compliance and notification obligations can positively influence follow-on actions and the company’s reputation. Prepping in advance ensures a solid, trustworthy message is developed with the right tone and tenor.
Contact EmeSec to better understand what upcoming regulatory developments, new technology trends, and government standards you need to prepare for today. Our approach combines risk assessment consulting, evaluation of security gaps and compliance, and crisis/incident response preparedness.