Cyber Warfare Begins With Military Precision
Educating small businesses and implementing workforce development is key to readiness.
The small business sector must seize the day and immediately begin taking the steps necessary to implement tools for cyber resilience and cyber readiness. Scaling cybersecurity services, education and training are crucial to national security.
Regarding the cyber warfare landscape for 2021, the most critical group to secure is the small and midsize business sector (SMBs), particularly following the pandemic. When working with tech-specific organizations and the military, process management and a sense of purpose can overcome inertia and apathy until a financial loss appears.
According to the U.S. Small Business Administration, the United States is home to 31.7 million small businesses that employ nearly 61 million workers—half of the private-sector workforce. Small businesses account for 99.9 percent of all U.S. businesses.
But even with all the emphasis placed on cybersecurity measures in Washington and within military ranks, an SMBs’ core is vulnerable. More than two in five U.S. companies with 50 employees or less have no cybersecurity defense plan, according to Bullguard in a 2020 survey of 3,083 SMBs.
The options for cyber deterrence may seem endless, and the definitions of “cybersecurity services” vary so widely that SMBs are hard-pressed to make an intelligent choice without extensive research into information technology (IT) security features and benefits. Worst of all is the increasing number of attacks on SMBs in the U.S. economy.
It’s time to pursue cyber readiness in SMBs with military precision. For all cyber warriors on a hero’s journey, understandably, the hardest step is the first one.
Here are some key recommendations about the actions needed to improve cyber readiness:
Effective programs must be championed in small business circles of influence, from tech councils to managed security service providers to programs designed by nonprofits for basic cyber hygiene.
Such programs could include those like the CyberReadiness Institute, the Department of Homeland Security Cyber Security Advisor program (CSA) under the Cybersecurity and Infrastructure Security Agency (CISA), and the new CYBER-CHAMPS program (Cybersecurity Competency Health and Maturity Progression Model) of the Idaho National Laboratory (INL). Following the practice model of a civil defense initiative, the goal for small business guidance begins with helping them avoid practices that would make them easy targets, assessing policies, finding vulnerabilities, gathering intel on problems, supporting them with tools and tactics, and training them to defend themselves. This model works for the military in times of war and can work in cyber warfare for small businesses. Military tactics work because of basic truisms that must be followed for a force-multiplier effect. Creating a larger vision plan for the country—particularly small businesses—remains a moving obstacle to bringing the village forward.
The new CYBER-CHAMP program focuses on identifying competency gaps based on job-level descriptions. In this program, operational readiness comes from measuring policy control, process control, practices observed and program maturity, then moving onto cyber competency health in roles and capabilities. The INL discovered a way to show a return on investment for cyber professionals to engage in higher-level training tied to their career performance, as well as building workforce structures in their companies for expansion and cyber resilience. CYBER-CHAMP takes some of its core competencies mapping from SANS Institute of job roles and the National Initiative for Cybersecurity Education (NICE)/National Institute of Standards and Technology (NIST) Framework. As an individual’s job description is broken down into roles, the training plan is designed to fit the primary role.
Small businesses should increase the number of new cybersecurity apprentices, particularly those from underrepresented populations, including veterans, women and minorities.
Federal and state partners need to accelerate and expand the adoption of registered apprenticeships in the rapidly growing cybersecurity industry, creating a network of cybersecurity employers that can leverage best practices to recruit, place and train hundreds of apprentices each year.
Employers must find the employees to assist in the small business environment, and the registered information technology (IT) apprenticeship model offers an opportunity to train workers on a lower pay scale into roles and responsibilities tied to cybersecurity. Veterans, minorities and women need to fill the ranks and become the cyber leaders that are so desperately needed.
Registered IT apprenticeships, as well as other apprenticeship models, are important to the work of scaling cyber education within small businesses. For example, Peregrine Technical Solutions had one of the first cybersecurity-specific Adult Registered Apprenticeship and Youth Registered Apprenticeship programs with the U.S. Department of Labor. The former was approved in 2016 and the latter in 2019. All of the employees were minority candidates, and the first graduate was a mid-career female.
Lionfish Cyber Security will kick off its apprentice training programs for its own internal team as well as for clients. Apprentices will be able to implement solutions while learning on the job—a key avenue for Lionfish to bring success in the cyber ecosystem. Lionfish apprenticeship opportunities will offer college credits for the training while defending the networks of the small businesses served.
Even with a cybersecurity apprentice program in place, the problem of data loss remains. In the last three years, 56 percent of SMBs have experienced an unrecoverable data loss, according to Zerto’s 2020 Disaster Recovery ebook.
Simpler terms and broader understanding are needed to foster knowledge-sharing about data-protection best practices in Americans’ everyday computing life. The proposed term “data care” has been heavily championed by U.S. cyber leaders Ron and Cyndi Gula of Gula Tech Adventures.
Government and other channels must clearly illustrate that cyber hygiene is every American’s responsibility. This begins with new messaging and targeted storytelling with scaling across a broader sweep of American communities.
Using a cyber guardian’s paradigm, the need to make cybersecurity engagement relatable remains. But small businesses must take some responsibilities in their own data care. Security is not just one person’s role; it is everyone’s role. Self-assessment sets the stage. An inventory of assets and a look at existing controls management charts the course from the beginning so that vulnerabilities can be analyzed. Helping an SMB find the answers versus the right questions comes after knowing where the gaps are.
Battle-tested approaches to a 24/7 cycle for incident response and due diligence make up the boilerplate. Not only do small businesses have to be cyber-ready, so must their vendors and suppliers. Examining small independent banks as well as community hospital networks reveals the vulnerabilities they are up against. In the banking sector, even manipulated data can result in noncompliance with data standards and can incur large fines. Phishing has increased more than 400 percent since COVID-19 hit, according to a January 2021 report in the ABA Banking Journal.
During the pandemic in 2020, 46 small hospitals were taken down when a third-party provider, Blackbaud, was hacked. Blackbaud is a cloud-based software company offering donor and fundraising management programs. Some health systems reported several thousand people were affected in the breach, while others, like Danbury, Connecticut-based Nuvance Health, and Broomfield, Colorado-based SCL Health, reported much larger numbers of individuals’ information in the exposure.
Verizon’s 2020 Data Breach Investigations Report cites phishing as a primary leading threat, followed by stolen credentials and compromised passwords.
The U.S. Cyberspace Solarium Commission recommends that the U.S. government should “reinforce and authorize the role of the NICE in coordinating U.S. government efforts to advance cybersecurity workforce development nationwide.”
Philip Niedermair, CEO of the National Cyber Group and managing director of strategic alliances at Whiteford, Taylor & Preston LLP, has participated in the highest level of cybersecurity warfare discussions. In a recent conversation, he referenced a colleague, stating, “The challenge we face in cyber education at all levels was perfectly summed up by Lt. Gen. Karen Gibson, USA (Ret.), recently retired deputy DNI [director of national intelligence], when she put it in terms of prioritization and said, ‘Improving cyber education at all levels is as essential to our national security as developing advanced weapons systems.’”
There’s no time like the present to begin taking steps toward cyber resilience and cyber-readiness as an important part of national security. Calls to action for scaling cyber apprenticeship training must include evaluation and best practices as a central feature to ensure effectiveness; otherwise, there is no basis for identifying the programs that warrant being scaled up and expanded nationally.
Jeremy Miller is the founder and CEO of Lionfish Cyber Security. He has served in the Army Special Forces aka "Green Beret," he is the current AFCEA president for the new Indiana Chapter and the president of the Special Forces Association Chapter 500.
Dawn Yankeelov serves on the International Small Business Advisory Board of The Cyber Readiness Institute, as well as the Tech Councils of North America’s (TECNA) Tech Public Policy Committee. She founded Aspectx, her PR and communications firm in 1989, serving international clientele including emerging technology companies, and federal plus state government agencies interested in growth.