Last month, the Biden–Harris Administration released a new National Cybersecurity Strategy designed to shore up the defenses and improve the resilience of our digital ecosystem. The Strategy touches on a wide range of important topics, but below, we underscore the top five takeaways for small and medium-sized enterprises (SMEs), specifically.
1. Strategic Objective 1.1: Establish Cybersecurity Requirements to Support National Security and Public Safety
From the same section, there is commentary on “regulatory harmonization.” Stated simply, this is related to reducing the burden – in terms of cost and complexity – of implementing government regulations, including incident reporting requirements. It is important to reward companies that do invest in cybersecurity requirements and compliance while also not making it more difficult or burdensome than it needs to be. If you are in a particularly regulated industry, it can be overwhelming to track every regulation and compliance protocol. Regulatory harmonization seeks to simplify and streamline these processes.
2. Strategic Objective 3.1: Hold the Stewards of Our Data Accountable
Data has quickly become the greatest asset in many of your organizations. Some might call your, and your customers’ data your crown jewels – those that need the most protection in the event of a cyber incident. The Strategy recognizes that “Securing personal data is a foundational aspect to protecting consumer privacy in a digital future.” This means that there will be new limits and clearer guidelines on what data can be collected and how it can be collected.
3. Strategic Objective 3.2: Drive the Development of Secure IoT Devices
You likely have at least one device that you use on a regular basis that belongs to the Internet of Things (IoT), the smart or connected devices that are designed to make our lives easier. Examples include Alexa or Echo devices, smart thermostats, video–enabled doorbells, to name a few. These so–called IoT devices have inherent risks associated with them, and these risks are exacerbated by lack of education. Simple measures like changing the default password associated with these devices can make them significantly more secure to have in your home or business (and with remote work, these may be one and the same).
Strategic Objective 3.2 aims to demystify IoT devices through better labeling: “Through the expansion of IoT security labels, consumers will be able to compare the cybersecurity protections offered by different IoT products, thus creating a market incentive for greater security across the entire IoT ecosystem.” Think of this like labels on food we buy from the grocery store that indicate whether it is gluten-free or organic, what ingredients are used, etc. Armed with more information, we can make better choices.
4. Strategic Objective 1.1: Establish Cybersecurity Requirements to Support National Security and Public Safety
Cloud security, cloud computing, and cloud service providers (CSPs) are receiving a lot of attention lately. Cowbell even has a two–part blog series dedicated to cloud computing. You may already work with a CSP or perhaps are considering working with one. Though you may be able to outsource certain tasks to them, you must recognize that any third–party organization introduces new risks to your own organization, and if the third–party experiences a cyberattack, you might be vulnerable as well. Strategic Objective 1.1 recognizes the benefits of cloud computing and CSPs, especially for SMEs, and seeks to raise the level of security standards associated with them: “Cloud–based services enable better and more economical cybersecurity practices at scale, but they are also essential to operational resilience across many critical infrastructure sectors. The Administration will identify gaps in authorities to drive better cybersecurity practices in the cloud computing industry and for other essential third–party services, and work with industry, Congress, and regulators to close them.” With more security requirements baked in, it will be safer for you as a customer to use those services.
5. Rebalance the Responsibility to Defend Cyberspace
The Strategy asserts, “Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity.” As SMEs, you can surely attest to these limited resources and competing priorities as you are likely most focused on your bottom line. Part of the Strategy seeks to recenter the onus back onto the technology providers themselves instead of you as the consumer. This will require public–private sector collaboration, but it will hopefully raise the security level of the entire ecosystem, with less direct responsibility for you so you can focus on other business matters.
For more information about the National Cybersecurity Strategy, you can review the full Strategy. In a discussion led by the Center for Strategic and International Studies (CSIS), Kemba Walden, Acting National Cyber Director, reminds us that “The President’s National Cybersecurity Strategy acknowledges a profound truth – technology and humanity are intertwined.”