At this time of year, everyone is shopping for a good bargain. And with “Cyber Monday,” the internet has become the place to go for the best deals. The shift to online and cloud-based information systems and data storage has also opened up a new market for online shopping, trafficked by hackers and other cyber criminals who want to take or corrupt your company’s personal, proprietary, and other sensitive information.
Many small businesses believe that they are not likely to face a cyber attack, and therefore do not devote sufficient planning and resources to cybersecurity. Yet, nearly half of all cyber attacks are made against small businesses. And cyber threats do not come only from rogue nations or foreign-organized crime syndicates. Much closer to home, disgruntled former employees and even competitors are behind many cyber incidents.
The risks of inadequate cybersecurity go beyond lost data, lost productivity, and the expense of addressing a cyber attack. As a result of several recent legislative and regulatory developments, the federal government can use a contractor’s inadequate cybersecurity protocols to withhold a contract award or contract payments, exclude contractors from contract competitions, issue adverse past performance reviews, and even pursue breach of contract claims and suspension and debarment. Many government contracts now contain, or will soon contain, clauses requiring adequate cybersecurity protections, a security plan, and rapid reporting of cyber incidents. Understanding how to comply with these new requirements is challenging because many of the rules are vague and intentionally flexible.
The federal government’s focus on cybersecurity is not likely to abate any time soon. In fact, emphasis in this area is increasing, as evidenced by President Obama’s recent nomination of Ash Carter, a big proponent of cybersecurity, to Secretary of Defense. This means that if you have not been focusing on cybersecurity, then you should put this high on your priority list for 2015.
At a minimum, small businesses should be aware of contractual requirements imposed on them by the federal government and prime contractors related to cybersecurity. You also need to know these requirements if you have unclassified controlled technical information residing on, or transitioning through, your information system. You should have an internal company policy and procedures for addressing, among other cybersecurity-related issues, the timely reporting of cyber incidents, who in your organization is responsible for your security plan, employee training and social media policies, backup of data, as well as restrictions on physical access to your computers and networks.
Resources, such as the National Institute of Standards and Technology protocols, are available to guide you in putting together a security plan, and PilieroMazza can help as well. It is also important to make sure you are employing the latest antivirus programs and regularly updating your software with available security patches. And when you are a prime contractor subject to cybersecurity requirements, you need to make sure these requirements are properly flowed down to your subcontractors.
Opportunity knocks in 2015 for those firms who implement strong cybersecurity measures and are ahead of the curve. Such firms will not only avoid the consequences of lapses, but will be more attractive contracting partners, gaining a leg up in contract competitions. So make a resolution this holiday season to put a greater emphasis on your cybersecurity next year.
Please join Jon Williams and Steve Chafitz of e-End, for a Joint Cybersecurity Webinar on January 21, 2015 from 2:00 p.m. to 3:00 p.m. ET. This free presentation will provide you with the key information you need to understand and prepare for cybersecurity requirements that should be on your radar in 2015. Click here for more information and to register.
About the Author: Jon Williams is a partner with PilieroMazza and a member of the Government Contracts Group. He may be reached at [email protected].