When it comes to cybersecurity, every individual and business, regardless of size or industry, can play a role in keeping us safe.
In the aftermath of the killing of Major General Soleimani, the second most powerful political and military leader in Iran and a cultural icon, there has been considerable speculation that, following Iran’s “hard revenge” on two U.S. military bases, Iran will continue to retaliate, without seeking attribution, through destructive cyber attacks on the infrastructure of the United States and its allies. While Iranian cyber capabilities are not necessarily as sophisticated as the tools used by the Chinese and the Russians, the potential threat from Iran should elicit concern because they now have both motivation and intent and sufficient capabilities to do harm.
Let’s not waste time debating how likely it is Iran will initiate cyber attacks. Now is the time to acknowledge that our public and private institutions are incessantly under attack from all kinds of bad actors – ranging from nation-states to lone wolves – and use this opportunity to focus attention on the cybersecurity and cyber readiness of all business.
Specifically, we need to focus on what are often the weakest links in global value chains: small and medium-sized businesses (SMBs). Recent studies continue to show that SMBs are particularly vulnerable and ill-prepared for cyber attacks. In 2019, 66% of SMBs experienced a cyber attack and 63% reported a data breach. SMBs are frequently targeted because they are less likely to have the resources, tools, and technical expertise of a larger corporation. Among SMBs, only 30% feel that their IT security is effective at protecting their business.
We need to reverse this worrisome trend, or we will all continue to be vulnerable. The increasing interdependencies of our digital economy mean that every business is connected to each other; therefore, all businesses, especially small businesses, should consider themselves critical. This label is not meant to be dramatic or an exaggeration, but a statement of fact given our current cyber environment. If every business is critical, then every business must make cybersecurity critical to the mission of their business.
There are practical steps to becoming more cyber secure and cyber ready that don’t cost a lot of money or require a technology solution and investment. Ensure your systems and networks are secure. If you haven’t already, create back-ups of your critical systems and networks. Test your back-ups. The existence of a back-up does not mean it is working. During a recent tabletop exercise with a global infrastructure company that was responding to a ransomware attack, the company learned that its back-up didn’t work.
Pay attention to the security of your third-party vendors and your supply chain. The age-old adage that you are only as strong as your weakest link is never more appropriate and truer than in reference to the security of global value chains today when 60% of cyber attacks target SMBs. Several years ago, it was reported that a global oil company was breached through the malware that was deployed on the online menu of the Chinese restaurant from which the oil company employees routinely ordered.
Finally, and what we assert to be most important, is to ensure every employee within your organization is educated and trained on cybersecurity.
Each business should have simple, easy-to-understand policies on strong authentication and passwords, software updates, phishing, and USB use, as a start. For example, use passphrases with a minimum of 15 characters. When your password has been breached, reset it. Use multi-factor authentication whenever possible.
Provide training programs on phishing and alert your employees to the methods malicious actors use to social engineer individuals. A successful phishing attempt gives a malicious actor access to your network. While an employee may think that the business’s network is not critical, remind your employees that you are connected to all of the networks in your supply chain.
When research indicates that 91% of all cyber attacks start with a phishing email, that alone should be a call to action.
When possible, avoid the use of USBs and removeable media. If that is not possible, make sure your company’s IT department has cleaned and approved the device. Finally, focus on creating a culture of cyber readiness. Make sure every employee understands that he or she has an accountability and responsibility for the cybersecurity of your business.
When we are confronted with a physical threat from a nation-state, Americans put their faith in our service men and women and in the senior leaders of our government to protect us and keep us safe. But, when it comes to cybersecurity, every individual and business, regardless of size or industry, can play a role in keeping us safe. Because of the ability of a malicious actor to access a network by accessing an individual’s email, disruption can be caused by the negligence of one individual. Similarly, resilience, security, and protection can be created by one individual.
We should each view the threat from Iran as a call to action to focus on cybersecurity and do the basics. Every business, every individual can play a role in making our nation more secure. The time to act is now.
Kiersten E. Todt is the Managing Director of The Cyber Readiness Institute and the former Executive Director of the Presidential Commission on Enhancing National Cybersecurity.