In the last few weeks, we have seen a flurry of cybersecurity breaches as well as focused effort by the U.S Government to get serious about protecting US business, critical infrastructure and the federal government.

In May, US President Biden issued an executive order to government agencies to up their cybersecurity game. This should be a wake-up call for every business and organization around the world.

What were two of the most important aspects of the order?  The mandates for multifactor authentication and encryption.

  • Multifactor authentication ensures identity integrity for who accesses what which applications and information in government systems. Multi-factor authentication requires more than just a single password to gain access to systems and data. It requires something you have in your possession – either an encrypted digital credential on a smart phone, a smart card or a simple hard token. This additional layer of identity verification keeps a simple password from causing major compromises, as happened in the Colonial Pipeline ransomware attack.
  • Encryption protects unauthorized data access. Organizations been talking about encryption for years. But until recently most organization haven’t had an encryption strategy. The Ponemon Institute has been tracking encryption usage over the past 16 years. In the most recent survey, 50% of organizations still don’t apply encryption strategy around their organizations.  Organizations need to make sure they are encrypting information in all forms — data at rest, data in motion and data in use.  By encrypting the information, even if someone accesses your network and steals your information, the data they steal is unreadable…and can’t be exploited.

The drumbeat of warnings continues

Until this year, most executives would not have thought that meat processing plants would be targets for cyber criminals. Guess again: the JBS ransomware attack shows that organizations large and small are susceptible to cybercriminals – and in fact, they are looking for soft targets in critical infrastructure around the world.

The good news is that the US government taking a more active stance.  On June 3, the Biden administration sent an open letter to business leaders urging them to take immediate action. The New York Times reported that,

“…in the White House memo, titled “What We Urge You to Do Now,” Ms. Neuberger asked businesses to focus on the basics. One step is multifactor authentication, a process that forces employees to enter a second, one-time password from their phone, or a security token, when they log in from an unrecognized device.”

Back to the basics

It keeps coming back to multifactor authentication and encryption – these are basic, foundational security measures that that no organization can ignore.

Regulations are starting to catch up with the need.  After a couple of years in the wilderness, the US government passed the IoT Cybersecurity Improvement Act in December 2020, calling for NIST to develop guidelines to prevent vulnerabilities for connected devices — the Internet of Things (IoT).  This is especially important for protecting our critical national infrastructure — think digital meters, pumping station censors and medical facilities and devices…not to mention autonomous cars!

The US government is further focusing on protecting its defense infrastructure with the implementation of the Cybersecurity Maturity Model Certification, or CMMC – a new set of comprehensive regulations that require any company doing business with the US Department of Defense to meet strict compliance requirements to bid on any project.  The “teeth” in this requirement is that it requires a 3rd party to audit compliance.  Other government agencies are also looking to adopt CMMC principles for their vendors.

If one incident is a wakeup call, organizations can’t keep hitting the snooze button. The events of the last few weeks should make companies and businesses hyper-vigilant against cybersecurity threats.

Because the risk is not just the cost of losing sensitive information — but our very ability to operate in a digital world.