SolarWinds, the Microsoft Exchange Server hack, and now the Colonial Pipeline ransomware attack, among scores of other cyber security attacks and breaches, have led to President Joe Biden passing an executive order (EO) on cyber security.
This executive order, while not asking anything revolutionary, is a step in the right direction for our federal government, and many SMBs should take note of the items emphasized to better protect their own data and IT systems from the increasingly complex cyber threat landscape.
Key Changes to the Federal IT Security Infrastructure
The executive order, which Biden passed on May 12, 2021, covers six key elements of cyber security:
- Enabling IT service providers to share breach information
- Modernizing fundamental IT security standards across the federal government
- Improving supply chain security
- Establishing a cyber security review board
- Creating a standard playbook for responding to cyber security incidents
- Improving investigation and remediation capabilities
1. Enabling IT service providers to share breach information
The passing of this EO makes it easier for managed IT service providers to share information about potential breaches and other security incidents with the federal government.
While the EO stops short of requiring MSPs to release information, it does enable them to do so, allowing data to flow faster, meaning a faster post-breach response time.
Why does this matter to SMBs?
SMBs will benefit from a level of transparency like this going forward. If they are currently engaging with a technology partner like an MSP, that MSP will be able to get information about attacks much more quickly, so mitigation can happen faster.
2. Modernizing fundamental standards across the federal government
The federal government is now required, across their departments and institutions, to implement standardized cyber security fundamentals in three main areas. And, these are three areas that MSPs stress for their clients, so SMBs should take note.
- Zero-Trust Architecture – The first item for unification is the establishment of a zero-trust framework. A zero-trust concept follows the idea that nothing on your system is automatically allowed to 1) communicate or 2) run.
Take the recent SolarWinds breach for instance. Under a zero-trust model, the Trojanized update wouldn’t have been allowed to run, so the malicious packet wouldn’t have been downloaded. A zero-trust model helps shore up gaps that have been present in technology stacks for a long time.
- Multifactor Authentication – This is one that IT service providers have been stressing for their clients for a long time. It’s already a hot topic in cyber security, and the federal government’s requirement of it should emphasize how necessary it is, and not just at an app level. Companies should also consider implementing MFA at a device level—meaning that every time you log onto your computer, you have to verify that you are who you claim to be.
- Encryption – Encryption helps make sure that your data isn’t accessible to anyone who shouldn’t have, both in transit and at rest. MSPs help deploy it to assist with mobile devices, curbing data compromise should a company device get lost or stolen.
While these items aren’t new, by any means, the fact that the federal government is incorporating them into their own infrastructure shows the importance of having a robust IT security setup for your own company.
3. Improving supply chain security
After realizing the severity of SolarWinds, the federal government is also making some changes to the requirements software developers follow when working with their numerous departments.
Primarily, developers that work with the federal government will be required to submit a software bill of materials and adhere to certain standards going forward.
While this doesn’t directly relate to SMBs (unless you are, in fact, working with the federal government), you should still realize that technology vendors, even big-name technology vendors, are a huge vulnerability to your organization. This especially includes technology service providers like your MSP partner. Vetting their capabilities and security is, and will continue to be, a huge component of ensuring your data and systems are safe from cyber threats.
Why should I vet all managed IT service providers I might work with?
Some MSPs do not practice what they preach when it comes to IT security, and they bring vulnerabilities to their clients.
When scouting out an MSP, you should be concerned about their security credentials. To get the peace of mind you need, look for an IT partner validated by a third party. For instance, look for one with the CompTIA Security Trustmark+.
These third-party validations show that MSPs have gone through a rigorous assessment and follow best practices—and can protect themselves and their clients.
4. Establishing a cyber security safety review board
The EO also puts forth the need to create a group, akin to the National Transportation Safety Board, that will convene following cyber security incidents. It’s important for organizations, or a business and their MSP, to review where vulnerabilities originated, how they occurred, and the paths that were taken leading to the incident.
With increasing scrutiny being placed on vendors, this is surely an area to watch closely in the future.
5. Creating a standard playbook for responding to cyber incidents
An important distinction needs to be made here—the government plans to implement a uniform incident response plan across entire federal departments and agencies. Some departments may already have their own, but having a plan in place that everyone can follow, before a breach occurs, is crucial.
The main takeaway here is that if your business doesn’t already have an incident response plan, you should create one immediately.
And if you’re not sure how to create one, IT Providers are invaluable, as they have helped numerous SMBs with theirs.
6. Improving investigation and remediation capabilities
A solid plan for logging and reporting data from your systems needs to be in place, just as the federal government is starting to improve their efforts in this arena.
As cyber threats continue to ramp up, and as companies become increasingly more reliant on a robust IT infrastructure to conduct business, security systems will be required to churn through more data to identify and mitigate threats.
Keep in mind dwell time – or the amount of time a hacker is on your network before they do something to announce their presence. The average amount of time a cyber criminal remains undetected is around 141 days, so the typical rolling log of monitoring data, which is 7, 14, or 30 days, is not sufficient to paint a big enough picture.
As the federal government starts to churn out additional cyber security guidelines, SMBs should follow suit.
Cyber security threats show no sign of slowing down. Phishing, vishing, ransomware—all are increasing at an alarming rate—both in frequency and sophistication.
A comprehensive, layered IT security strategy is no longer optional.
Contact CoreTech today to learn more.
Discover your organization’s vulnerabilities in just a few short minutes. Download and complete our IT Security Scorecard now.