Our world is more interconnected than ever because of digital transformation and all of the work we’ve done to integrate systems. When the FAA system went down recently, think of all the business people and cargo that couldn’t reach their destinations. Think of the widespread impact it had on entire industries and communities.
In much the same way, if one of the third parties we deal with experiences some sort of malware or ransomware attack, then we get impacted downstream, too.
If we only think about our own individual security programs, then we give short shrift to the knock-on effect organizations have on each other. If we don’t reach out to small and medium-sized businesses and help them develop robust cyber programs, we stand to suffer because of the great amount of connectivity that exists between our respective organizations, and our partners, our vendors and our suppliers.
By advancing their security programs, we are advancing our own as well. Here are some actionable steps we can take to harness the power of many for the good of us all:
Vendor management training: If you’re a big multinational company, you should be thinking about how to train your vendors, suppliers and partners on your cybersecurity program and your requirements. All this information has to be part of your agreements. Make cyber hygiene a priority. Ask what your third parties’ cyber hygiene looks like, and give them your requirements for good cyber hygiene.
Baseline: We have to make sure we are compelling third parties to implement minimum security baseline requirements as a condition for doing business. We have to set the bar and stipulate it in all contracts. If their security programs don’t align with our requirements, then how do we help them to meet the standards? One good option is to leverage the CIS Top 20 or similar security frameworks that dictate minimum requirements.
Outreach and support: Reach out to your third parties and support them in developing their cyber programs. They may have as many resources as a multibillion-dollar organization to spend on cyber. We need to think about how we help them to develop the right security posture with tools that are commensurate with their size.
Larger companies need to pay it forward to smaller companies to develop sound cyber hygiene practices. Many of us use some of the same suppliers. By helping the small and mid-size businesses in our ecosystems, we’re having a huge impactful benefit not only on our own organizations, but on others as well.
Dawn Cappelli, Head of OT CERT for Dragos (and former CISO of Rockwell), has created a program designed to help small and medium-sized businesses (SMBs) manage the security of their operational technology environments. Her program, in partnership with industrial controls systems/OT cybersecurity firm Dragos, offers a library of OT security guidance, a cybersecurity maturity self-assessment; resources focused on asset management; and a ransomware tabletop toolkit to identify potential gaps.
Any vulnerabilities that Dragos discovers in OT products will be disclosed within the program’s portal, and when an SMB is breached, Dragos will work through partners to deliver notifications and access to support services.
The interconnectedness of the work that we do means we have to connect the dots. We have to create opportunities for collaboration. When we think about globalization, we have to think about democratizing cybersecurity.