At the Cyber Readiness Institute (CRI), we know all too well about the burden being cyber ready places on the millions of small and medium-sized businesses (SMBs) around the world. SMBs tell us they don’t have the financial, technical, or people resources to make their operations as secure as they want to or should be. For too long, we’ve accepted that it’s okay to put the burden on the very organizations least prepared to handle it.
Change is coming.
The release of secure-by-design and secure-by-default guidelines by the Cybersecurity and Infrastructure Security Agency (CISA) and other international organizations is a historic first step in taking the burden of cybersecurity off the SMBs and placing it where it belongs—with software providers.
Under the guidelines (not requirements), software developers would no longer be able to leave it to customers to click the box to enable automatic updates. Their products will come with that function as a built-in feature, like seat belts in cars. The era of default passwords, another embarrassing source of cyber breaches, will come to an end.
You may be wondering if these are voluntary guidelines, then how can we make sure software developers are following them? The answer is the power of the marketplace. For starters, the organizations behind the guidelines represent governments or organizations with overwhelming buying power. SMBs have this power too. We encourage SMBs to ask their software vendors (or managed service providers) if the software products they sell, or use, are secure-by-design.
At CRI, we focus on human behavior, specifically the Core Four: passwords+ (multi-factor authentication); software updates; phishing awareness; and secure sharing and storage.
We look forward to a day when it’s the Core Three and we can remove software updates.
Karen S. Evans is the Managing Director of the Cyber Readiness Institute, a non-profit organization that provides free cybersecurity tools and resources to small and medium-sized organizations worldwide.
