New Cyber Readiness Program Launched for SMBs
The Cyber Readiness Institute (CRI) has launched a Cyber Readiness Program designed to provide practical and meaningful assistance to small and medium businesses who perhaps don’t have the resources to give security the priority it needs and deserves.
CRI was born in 2017, but conceived by President Obama’s bi-partisan Commission on Enhancing National Security in 2016. The commission brought together major figures in cybersecurity, business, and academia; and was charged with making recommendations by the end of the year. Its executive director was Kiersten Todt, currently president and managing director of Liberty Ventures, and resident scholar at the Pitt Institute for Cyber Law, Policy, and Security. Oversight was provided by Penny Pritzker, then U.S. Secretary of Commerce and current chairman at PSP Partners.
Another member of the commission was Sam Palmisano, retired CEO of IBM. In 2017 he and Todt discussed the possibility of continuing their earlier efforts. They reached out to other commission members, and were joined by Ajay Banga (CEO at MasterCard), and former Secretary Pritzker. Former member Peter Lee (who runs Microsoft’s R&D) took the idea to Satya Nadella who also joined the project.
Together they formed the CRI; and for the rest of 2017 brought in new members until — if anything — the new CRI is now even more august than Obama’s original commission.
“For the last year,” Kiersten Todt told SecurityWeek, “we have been developing a program that is simple and accessible for SMBs to improve their cybersecurity.” This is what is launched this week, with the backing of Mastercard, Microsoft, Maersk, Citi, Acer, and ExxonMobil. General Motors will join the CRI in 2019.
“The idea here,” she continued, “is that we take our knowledge as experts in this background and leaders of global companies, and distil the key elements of cybersecurity for small businesses — who essentially have limited resources in bandwidth and expertise to give cybersecurity the correct level of priority.”
The CRI focused on four primary issues: phishing, patching, authentication, and USB use. The intention was to reduce down the complex policies of the large government standards to something, said Todt, that, “you could take to a man in the street, and he would understand it. In other words, we were pouring cement into a foundation on which we could build more sophisticated policies, more mature policies, but really getting at the basics.”
The program will help to solve two separate problems. SMBs are often seen as the engine of any economy. They and their cybersecurity are essential. But they also represent the supply chain of larger organizations. The iconic supply chain breach was that of Target, via an HVAC vendor.
But around the same time, hackers breached a large U.S. oil company via an unusual supply chain. The hackers had learned that every week, oil employees downloaded the menu from a local Chinese restaurant. So, they hacked the restaurant and added malware to the menu. This was duly downloaded, and the oil company was breached. The reality of the situation is that many large companies aren’t even aware of the totality of their supply chain — and it is now a highly favored attack route.
The Cyber Readiness Program will consequently benefit both large and small companies. It is also cross-sector and global — because supply chains are not bound by national boundaries. The cross-sector approach is explained by Todt with a pediatric metaphor.
“In the U.S.,” she told SecurityWeek, “we created information sharing and analysis centers (ISACs) in 1999 through a Presidential Decision Directive 63. They were intended to create resources and information-sharing by sector, so that small businesses could learn from large businesses, and vice versa. Over time, we have come to understand that just like adult medicine is not a one-for-one in pediatric medicine — it’s not just the same things but at a smaller level — so SMBs have more in common with other SMBs across sectors than they do with the larger companies in their own sector. So, the focus here is to really look at what is necessary for small businesses — and that creates a common denominator that can also be effective for larger companies.”
Under normal circumstances, NIST is the U.S. provider of standards and guidance — and is currently required to provide its own cybersecurity resources for small businesses. Todt does not believe the CRI’s initiative will conflict with this. Indeed, she has a history of working with NIST, and hopes for a symbiotic relationship between NIST’s SMB work and the CRI’s SMB program.
“I’ve worked with NIST,” she told SecurityWeek. “They’re going to be putting something together; and hopefully what we’re doing with CRI will actually help inform what they’re doing. Not knowing what that final document will be, I would say that what we have done has not been done by other resources. We are very prescriptive.”
Rather than provide a document that says ‘these are all the things you should be doing’ — that is, the ‘what’ of cybersecurity, CRI is providing a program that delivers ‘how’ it should be done.
These are the cornerstones of the CRI SMB program: it is easy to use, and prescriptive in nature. “We have found with SMBs,” continued Todt, “that simply attempting to tackle cybersecurity can be overwhelming. They ask to be told what they need to do. They don’t even need to know why — just what.”