Case Study: A Cyber Readiness Institute Program Created with CyberHawaii Helps Local Businesses Qualify for Lower Cyber Insurance Premiums and DoD Contracts

/ /

Over 80 local organizations have been Certified Cyber Ready in just over a year 

For the State of Hawaii, the U.S. Department of Defense (DoD) is one of the island chain’s largest employers, and the DoD’s ecosystem has helped create thousands of jobs for suppliers and partners. However, increased cybersecurity requirements for DoD contractors threatened to leave many small to medium-sized businesses (SMBs) ineligible.

Enter CyberHawaii and the non-profit Cyber Readiness Institute (CRI). CyberHawaii is an information sharing and analysis non-profit organization committed to developing and enhancing the cybersecurity capabilities of Hawaiian businesses. The organization is working to build a community that manages and mitigates cyber risk through various methods, including sharing information, access to federal partner resources, and encouraging cyber readiness best practices.

CRI and CyberHawaii collaborated to customize CRI’s existing Cyber Readiness Program to provide a pathway to meet new DoD requirements. A fully online initiative, CRI added key innovations to its program which have become the foundation for CRI’s additional work with global organizations running expansive supply chains. CRI/CyberHawaii kicked off every engagement with a detailed webinar and offered “office hours” with its cyber coaches. Targeting companies with 1 to 400 employees, the CRI/CyberHawaii program was designed to take six weeks to complete.

In a new approach, CRI developed a Cyber Coach qualification process and teamed with CyberHawaii to recruit and qualify over 20 individuals to become Cyber Coaches. The CRI-trained Cyber Coaches were used to support the SMBs through the program and to verify they had successfully completed the Cyber Readiness Program. The verification allowed CRI/CyberHawaii to state that the SMB was Certified Cyber Ready – an important stepping stone to meeting DoD requirements. Finally, CRI/CyberHawaii developed an assessment tool for the SMB to see how close they were to meeting the policy and technology requirements of the Federal Acquisition Requirements and the DoD.

CyberHawaii worked to recruit and identify companies needing to educate their employees in basic cyber hygiene practices to protect their businesses. They also recruited candidates to become Cyber Coaches from local universities and the community. CRI developed the training program and content, then trained the Cyber Coaches through a series of webinars in the use of CRI’s online Cyber Coach Certification Program. Each participating SMB was assigned a Cyber Coach to support them in implementing the CRI program and training their employees.

The result? More than 80 local Hawaii companies and non-profits have been Certified Cyber Ready in just over a year. In addition, the companies took a valuable step toward the Cybersecurity Maturity Model Certification Level 1 Status –a requirement to do business with the DoD. More than 80% of the companies who initiated the Cyber Ready Program process finished. Several coaches just out of college leveraged their work to secure full-time cybersecurity positions and embark on a cybersecurity career. Moreover, some companies saw their cyber insurance premiums reduced and were better able to select and then manage their vendors.

The CyberHawaii/CRI program was available at just the right time for SMS Research & Marketing Services, Inc (SMS), one of the island’s oldest market research companies. SMS CEO Tim Carson explained while his company does not store any personally identifiable information (PII), any type of cyber breach would threaten the trust of his customers.

Carson and 11 of his full-time employees went through the program over six weeks. Completing the program was essential for SMS, enabling the company to qualify for cyber insurance, which SMS would not have been able to secure without the program, according to Carson.

SMS employees are now on the cyber front lines and remain vigilant. They know not to use external thumb drives, and Carson said, “Every week, I get some potential phishing emails identified and forwarded to me before they were opened. In the past, they would have been opened. We are seeing employee behavior changes that make life a lot easier and secure for us.”

 After going through the program, Michael Cardenas, CTO of MC³ Technologies, revamped his company’s training materials to focus on culture and people, rather than purely technical solutions. Since then, employees have been more engaged in training. “This program really broke things down to the point where it was easily consumable for non-technical people,” he said.  “I would say the overall impact is people are now a lot more willing to hear about cyber security concerns and procedures that we’re putting in place. If nothing else, that’s a win for us.”

Cardenas was so impressed with the program, he decided to become a CRI/Cyber Hawaii Coach. “I can give up a little bit of time to benefit someone else and help them do well in business and be secure. It’s something I’m passionate about, and I hope that other people do the same thing.”