CMMC: A Guide for Small Businesses in the Defense Sector
Navigating the complexities of CMMC can be daunting, but understanding its essentials is crucial for small businesses in the defense sector.
4 min read
Michael Markulec : Nov 13, 2020 4:00:00 PM
Cybersecurity is no longer workable with a ‘tick in the box’ approach: a proactive approach is needed to determine and mitigate risk. An SMB in the housing market, for example, may not have the same risk appetite as a top bank.
The excuse “my computer has no top-secret data” doesn’t wash anymore. Gone are the days when only a handful of systems used to hold sensitive data in a separate environment.
So how can you improve your business's cybersecurity posture?
Endpoint refers to end-user systems or devices such as laptops, desktops/workstations, and mobile devices. These endpoints serve as an entry point to an organization. From an attacker’s point of view, this serves as an attractive opportunity. For instance, an attacker who successfully gains access to a staff system is often due to weakness exploited on the endpoint system. For example, a threat actor successfully establishing a connection with a staff computer due to a phishing attack (or another form of attack) is due to malicious code bypassing the endpoint controls. Therefore, the security of entry points is essential by utilizing antivirus or anti-malware solutions that detect suspicious activity and deter such attempts. Additionally, after implementation, it is necessary to ensure full system-wide scans are performed periodically and regular vendor updates.
It is the most underrated control in the cybersecurity domain. Just like a submarine structure, you need to ensure there are different compartments within your organization. In case a cyber-attack has led to the compromise of a system or segment of the network, an attacker will not have immediate access to the entire organization. This may lead to limited impact, containment, or detection of intrusion activity based on the incident scope.
Apply the rule of least privilege. This concept relates to the implementation of privileges on the need to know basis. This tip ensures that multiple tangible and intangible benefits are delivered across the organization. In case of a system compromise, threat actors shall face increased resistance to escalate their privileges. Any requirements related to compliance, framework, or standards would be a breeze. There are several tools and tactics: Privilege Access Management, Network segmentation, Separation of Privilege, and Systems Hardening.
Internet is the backbone of any business. Since the rise of remote working during and post Covid-19, this is even more important in our lives. Ensure that a restricted internet use policy for employees is served via emails, meetings, and contracts (where needed). If there is a web proxy, filter, or internet traffic access solution in place, order an immediate review to ensure it is serving the intended purpose. If there is no such software in place, purchase internet filtering solutions.
It is a common myth that the use of facial or biometric authentication means you can keep an easy password because that won’t be used. It is essential to use a non-dictionary, difficult to guess, multi-character set based password. Change default passwords on all equipment such as network devices, printers, scanners, security devices. If possible, try to mandate the use of password manager software in your organization.
Multi-factor authentication includes using two or more authentication methods (for example, a user password and a one-time code). Implement multi-factor authentication on all your devices and internet-facing portals. At times, employees’ credentials could be compromised without any cyber attack activity linked to your organization. This technique, known as credential stuffing, is a cyber-attack where stolen account credentials from one service are used to gain unauthorized access to other internet accounts. For instance, your work email accounts get hacked due to your selection of the same password being used on your email account (assuming this got compromised). A threat actor got your stolen credentials from a leaked database online (forums, dark web, etc.) and researched more information on you, attempting the same password against your email (email = username) account.
Secure configurations are essential for all systems used within or outside the organization. This includes a mobile device management solution to control mobile devices and operating system hardened images used as a secure operating system base for desktops and servers and secure hardening based network equipment configurations. CIS benchmarks are a great start to prepare internal checklists covering patch management, system hardening, services configuration, and many other areas. If your mission-critical assets, such as a revenue-generating website, opt for a penetration test at the least once a year or after any significant changes. This would pick up on the various cyber attacks that target retail or your business-specific websites, infrastructure.
Backups are an essential part of your cybersecurity strategy. In case of a cyberattack, data could be either compromised or deleted. Given the SMB businesses lacking strict processes and procedures, there is a large amount of data on staff laptops and mobile devices (tablets, phones). Ensure that a secure and regular backup policy is in place. This includes utilizing a backup solution that allows the automatic ability to schedule backups. Use the cloud. Modern devices and services offer easy cloud-based backups. This offers multiple benefits such as backup schedule configuration, secure storage, and easy restores accessible from anywhere.
Your employees could be your strongest or weakest link in cybersecurity; it all depends upon your cybersecurity strategy. Regular, thorough training must be an investment to deliver a baseline of knowledge for all employees. This would mark a shift in company culture with time, ensuring an overall boost for a proactive approach towards cybersecurity. Ensure that staff don’t browse the web or check emails from servers, or using administrative privileges. This will reduce the impact of attacks in the event user details are stolen.
If your business uses a wireless network, the corporate or staff network must be segregated from the guest (visitor) network, or vice versa. It is crucial to ensure this segregation is strictly implemented on both the networks to keep trusted and untrusted users separate. For corporate wireless networks, certificate-based authentication is the recommended authentication mechanism. This ensures user and connecting device identities are validated and cannot be spoofed. Implement a captive portal to manage guest network access for visitors.
Navigating the complexities of CMMC can be daunting, but understanding its essentials is crucial for small businesses in the defense sector.
Unlock the potential of your cybersecurity strategy to drive business growth and enhance customer trust.
In an era of ever-evolving digital threats, the recent cyberattacks on significant companies like Stop & Shop and AT&T highlight the crucial need for...