Small Defense Contractors Need Stronger Cybersecurity Practices

Small businesses doing work for the U.S. Defense Department pose serious cybersecurity concerns, in part because of their limited resources to invest in technical and practiced security measures, according to a congressional oversight agency’s assessment.

Last month, the U.S. Government Accountability Office (GAO) released a report after assessing the cybersecurity practices of small businesses, concluding that risks posed by small-business contractors increase chances of breaches for U.S. Defense Department agencies. While GAO investigators recommend that the department's Office of Small Business Programs (OSBP) create a program to provide cybersecurity education resources to small-business partners, we should first realize that there are misconceptions about small business security. Helping government leaders better understand small business security policies, practices and challenges is critical to safeguard the entire public-sector ecosystem.

For starters, it’s a common misconception that small businesses are not as secure as their larger counterparts. Usually, this stems from assumptions that larger businesses have more money to throw at the problem. But daily news headlines of security breaches prove otherwise.

Another common perception is related to the one-size-fits-all approach to cyber risks: Security standards are applied equally, whether protecting large, medium or small businesses. The mindset is especially prevalent in government agencies, which uniformly apply regulatory requirements. In reality, larger businesses often face bigger threats because their systems are more complex, disparate and harder to secure and manage.

Offering educational resources to small- and medium-sized businesses (SMBs) is a good first step to address current gaps, but the best way to encourage small businesses to invest in security is by dangling the business growth carrot. In an effort to shore up vulnerabilities, the Defense Department started evaluating cybersecurity certifications as part of acquisition requirements. For example, the U.S. Air Force Network-Centric Solutions-2 contract vehicle requires International Organization for Standardization (ISO) certifications and recognizes that accreditations provide a twofold competitive advantage: better due diligence for the small business community and higher security standards for the government.

Additionally, small defense contractors should adopt the following best practices to maximize their chances of building a productive and incident-free relationship with the government.

• Establish a business continuity plan, or BCP, which helps prepare for disruptions such as floods, fires, earthquakes, cyber criminals and insider threats. Virtual threats must be considered as well because nearly every business now depends on cloud or hosted services.  
• Train employees on online safety, a tactic that might keep cyber criminals from targeting SMBs as a weak link and launch pad into larger and more valuable networks.
• Ensure you have the basics, including firewalls, anti-virus programs and a solid patch program, whether in your cloud subscription or on location, because this establishes the first line of defense. Encrypt data and adopt two-factor authentication for the most critical assets and connection points.   

Small businesses do not have to rely exclusively on Defense Department resources to become better educated on cybersecurity. They need to establish security legitimacy and steer clear of avoidable threats by taking a proactive approach that fits information technology and business needs, including pursuing security certifications that demonstrate companywide due diligence. Conversely, the GAO and the Defense Department should reward companies with a proven cybersecurity focus through ISO certification and acknowledge the certifications and security standards as an advantage over the competition.

Maria C. Horton is president and CEO of EmeSec Incorporated. She served in the U.S. Navy for 20 years, retiring in 2003 as a commander, where she served as the chief information officer for the National Naval Medical Center.