Help is on the way for leaders at small and medium-sized businesses that have had to contend with cyberthreats that would be a challenge even for massive firms with multimillion-dollar security budgets.
A program led by alumni of President Barack Obama’s cybersecurity commission was unveiled Monday, offering free tools and resources meant to help smaller companies better secure their corporate networks. The Cyber Readiness Institute was launched in July 2017 by the Center for Global Enterprise — an institution devoted to researching management practices — to help small and medium-sized enterprises mitigate cyber risk. The Cyber Readiness Program, which launched Monday, includes support from private sector heavyweights like Mastercard, Microsoft, ExxonMobil and General Motors.
The plan is for Fortune 500 companies to pass down cybersecurity know-how to companies with only a fraction of the resources, a method that ultimately aims to stop hackers before they can use one company as a foothold to its partners.
“Small businesses very often are the source of data breaches into large companies because of the supply chain effect,” Mastercard CEO Ajay Banga said at a press conference in Washington on Monday. “What’s coming at them is a cyberthreat that doesn’t distinguish between large and small. … This is not a problem for small businesses. It’s a problem for all of us, collectively.”
The nonprofit initiative led by Kiersten Todt, who was executive director of Obama’s cybersecurity commission, has been in the works for more than a year. The guidance released Monday gives tips for businesses on how to improve authentication, best password practices and integrate effective patching techniques, three areas where the Obama commission determined smaller companies struggle.
“Almost all the breaches in the U.S. from the past 10 years are sourced from authentication issues,” she said, adding later that CRI also encourages firms to implement security into their office culture.
“It starts with identifying a person who will be responsible for this in your company,” said Todt, who is the institute’s managing director. “[We] provide policy templates for your organization and … are creating communication and posters you need to internalize this.”
The CRI tools are based on pilot programs with 19 companies ranging in size from just a handful of employees to roughly 800, said former IBM CEO Sam Palmisano, a CRI co-chair. The program is intended to be only the first round of guidance, with additions to come as more enterprises get involved and provide feedback, he said.
Next steps include possible collaboration with the Department of Homeland Security and Grant Schneider, the federal chief information security officer, to help raise awareness about supply chain security.
But this project only is the beginning of a longer process. A number of well-publicized hacks, including the breach this year at Saks Fifth Avenue and the 2013 Target hack, occurred because thieves exploited outside software. Yet only 16 percent of companies surveyed as part of a Ponemon Institute study published in November say they are prepared to stop such incidents.
“I just want you all to understand this is going to be really hard,” Banga said. “Think of this as a three or four year effort to change the dialogue between small businesses and the rest of the industry to get things to improve.”