Private Companies and Defense Department Cybersecurity Standards

It’s the kind of record no one wants to see broken — the U.S. is on pace to see the most data breaches in a single year. No one’s popping the cork in celebration, just thinking of ways to get this harmful, costly mess back in the bottle.

For private businesses and organizations, cybersecurity solutions may seem limited by the resources that can be dedicated to them. But when even large corporations can fall victim to a massive data breach, what hope does a small or medium-sized business have when a determined bad actor attempts to steal consumer or employee data?

Cybersecurity is complicated and constantly changing to keep pace with the evolving nature of the threats that threaten our data, but strong solutions rooted in our national security apparatus are more accessible than a private business owner may realize. In fact, we recommend all businesses adopt Defense Department cybersecurity standards — it’s achievable and affordable.

Read on for a breakdown of the data breach crisis and how to begin adopting stricter cybersecurity strategies.

Why are data breaches proliferating?

Hackers, phishing emails and viruses are nothing new. New data breaches are in the headlines almost daily. With cybercrime being such a pervasive issue, why is it that the world doesn’t have a better handle on it? It’s not like these problems are creeping up on anyone.

Software is complicated, with products interacting on top of different pieces of hardware, such as servers, physical computers, cloud-based systems and more. It’s all a location for potential vulnerability. Sometimes, there isn’t a weakness until a new piece of software is introduced that provides a backdoor that no one would have ever expected. That’s a big reason software and hardware providers roll out regular patches — most of the time, they aren’t offering new features, but fixes for newly identified threats.

It’s an ongoing theme in our digital world. When everyone wants to have the newest, coolest, cutting-edge tech — and there is business pressure to get it to market — there will be vulnerabilities.

Why is our data so valuable?

So, a hacking group based an ocean away commits a data breach and gains access to consumer data from a major U.S.-based retailer, what next? In fact, for most of us whose information has been part of a data breach, the impact was probably unnoticeable. It begs the question of just why someone goes to the effort of stealing it in the first place. Certainly, financial information has clear value, but what about more basic information like an email or the city where you live? What’s so special about it?

Data is a commodity, one that paints a clearer picture of an individual and their habits. For example, when a business knows a consumer’s location, it may change the advertisements it shares (a Hawaii resident probably won’t see as many ads for salt during the winter months as a Minnesotan). That’s a simple example, but when you consider the amount of information a single person may have shared online, privately, or not, about their buying habits, health, finances, friends and behaviors, it’s suddenly not hard to see why data is so valuable. Bad actors online can find plenty of willing buyers for a trove of stolen email addresses and order histories, or they can even leverage an individual’s personal information to threaten their company.

What can private businesses do?

The Defense Department approach is not one thing. It’s a layered defense — the standard metaphor is an “onion” — aimed at being as secure as possible. And while the federal government and military clearly have resources to implement top-of-the-line security measures, many of these agencies’ tactics stem from publicly available guidelines and frameworks that can be leveraged for a private business’s needs.

Here are some tips to begin shoring up cybersecurity with stricter policies:

• Review data: Before spending thousands on a firewall or complicated product, businesses should begin by auditing their own data, both internal and external. What are they protecting? A local construction company might have customer and project information that can give a rival company a competitive advantage. The most important step is to prioritize what data is most important to protect — customer lists, intellectual property, operating systems? Rate what is most important, and it will help direct what strategies you adopt.
• Learn about and adopt federal guidelines: The National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF) is a step-by-step process that guides organizations in integrating cybersecurity and privacy activities to new and legacy systems, regardless of size or industry.
  
  For organizations that require more strict guidelines, there are also Security Technical Implementation Guides (STIGs), which are produced by the Defense Information Systems Agency (DISA) and based on Department of Defense policy and security controls. While the STIGs can create strong policies, they are not necessarily business-friendly and can block access to certain parts of systems that can affect end users.
• Explore current platforms: It’s possible adopting federal guidelines may not be necessary. Lots of small companies are learn how to work remotely through online platforms — many of which have strong security features that may be a good fit for a business’s needs.
• Contact an expert: Most private business owners are not cybersecurity experts, and that’s why finding the right vendor will make a difference in avoiding being a victim of a data breach. At Three Wire Systems, we have deep experience working with organizations of all types and sizes, including government agencies, helping all our clients implement a mix of strategies to guard against internal and external threats. Learn more here.