Five Cybersecurity Steps for SMB Contractors
The threat is no longer doomsday rhetoric.
It comes as no surprise that U.S. adversaries continue to target and successfully exploit the security weaknesses of small-business contractors. A successful intrusion campaign can drastically reduce or even eliminate research, development, test and evaluation (RDT&E) costs for a foreign adversary. Digital espionage also levels the playing field for nation-states that do not have the resources of their more sophisticated competitors. To bypass the robust security controls that the government and large contractors have in place, malicious actors have put significant manpower into compromising small- and medium-sized businesses (SMBs).
The threat is no longer doomsday rhetoric used by those in the security field to push for change. The tabletop scenarios have been realized and without widespread adoption of cybersecurity best practices, the United States will continue to bleed its intellectual property. This is evident by the countless breaches that have occurred against government contractors over the past year.
Ad hoc methods of protecting sensitive data, including controlled unclassified information (CUI), are no longer acceptable. Long gone are the days when tasking corporate digital security to an understaffed, underfunded and overburdened IT department was sufficient. SMB contractors must recognize the importance of Defense Department and National Institute of Standards and Technology (NIST) requirements and dedicate the necessary resources to achieve compliance.
CUI, a categorization of data that encompasses a wide array of limited distribution information, resides in hundreds of small businesses across the country. The bar must be raised by those who contribute to the defense of the nation, regardless of company size or revenue.
Top-Down Approach to Security
Implementation of a secure cyber workplace must start with senior leadership and be recognized throughout the organization as an enterprise initiative. It must be baked into the corporate culture as a positive necessity, not expressed as an additional burden. CUI controls penetrate far beyond the corporate IT infrastructure. SMBs must have a defined set of policies and procedures to ensure that all technical, administrative and physical safeguards are met and understood by all relevant stakeholders. The risk of housing CUI must be assessed at the highest levels of the organization
SMB contractors must identify the CUI residing in their environment and take the necessary defensive measures to ensure the data is secure at rest, in transit and during processing. Organizations may choose to segment the CUI resident in their environment to limit the scope of the required security controls. The CUI must be labeled and its movement monitored and controlled. This can be achieved through various data loss prevention solutions and a network architecture that utilizes layering, diversity, obscurity, limiting and simplicity.
Raise the Bar on Education and Testing
Employees must be educated on the evolving threats and their role in supporting a proactive security posture. They must be continuously tested and reevaluated to uncover systemic deficiencies within the organization. SMBs should consider conducting internal phishing tests to teach their employees about the dangers of social engineering attacks. End users must also be aware of the corporation’s data classification and labeling policy and procedures
Operate as If You’ve Been Compromised
SMB contractors should operate under the assumption that they have already been compromised. This stresses the importance of anti-data exfiltration techniques, such as geolocation blacklisting, protocol filtering, secure sockets layer inspection and network traffic anomaly detection. Proactively ingesting indicators of compromise from information sharing partners can aid in breach discovery. SMBs should also consider implementing honey pots or canary files to track malicious movement inside of the corporate network.
All of these actions, alongside basic fundamental strategies, are necessary steps in the right direction. To maintain the integrity of the Defense Department supply chain, SMBs must be vigilant, now more than ever before, to ensure the protection of the information with which they are entrusted.
Michael Carmack is a cybersecurity analyst working for Rite-Solutions Inc., Middletown, Rhode Island. His primary responsibility involves ensuring the protection of Rite’s security infrastructure, which includes extensive remote use of resources, and compliance with all NIST requirements.