Steven Freidkin, CEO of Ntiva, breaks down US President Joe Biden’s new cybersecurity bill and explains what this means for businesses. He advises on how an organisation can review your vendors’ risk assessments, check for potential security gaps in your supply chain, and review your vendors’ monitoring and compliance while ensuring contract terms are in place to facilitate sharing threat information.
In May, President Joe Biden issued the “Executive Order on Improving the Nation’s Cybersecurity” to bolster the nation’s cybersecurity on the heels of high-profile hacks, including the Colonial Pipeline that temporarily shut down the East Coast’sCoast’s main fuel supply.
Biden’s lengthy Executive Order – which includes mandates to modernise cybersecurity standards and make software supply chain security stronger – puts software and IT service vendors under pressure to get a number of widespread changes in place quickly. In addition, these updated guidelines are sure to have a trickle-down impact on private companies, both big and small.
In order to be certain that you’re using safe and compliant software providers, here are five things you should be asking.
What does the Executive Order mean for my business?
Small businesses are believed to be the victims of up to 75% of all ransomware attacks, in large part because of the lack of resources available to them.
So the proposed actions laid out by Biden’s Executive Order are extremely pertinent to all types of businesses, and you should become familiar with the changes to ensure your software vendors are up to date.
IT vendors who work with the government will have to make these sweeping changes over the next few months. The private sector is likely to follow suit, as the same protocols and guidelines outlined by the government are likely to become more ubiquitous throughout the software industry.
As the Executive Order says, businesses “must adapt to the continuously changing threat environment (and) ensure its products are built and operate securely.”
Should I update my vendor risk assessment?
More and more businesses will now be looking over vendor risk assessments. Whether rechecking existing contracts or making sure new ones share some of the same languages as the government’s guidelines, ensuring high security and low potential for risk will be key.
When talking to your IT vendors, it’s critical to understand the pros and cons of their offering. This should give you an idea of where, if any, holes exist and if increased security measures like two-factor authentication or firewalls can plug them up.
Think of a risk assessment with your vendor as a checklist of all the steps you want them to follow to keep your business safe.
How do I make sure there are no security gaps in the supply chain?
A business is only as secure as the weakest link in its supply chain. For example, when a Florida-based IT firm was hacked in July, up to 1,500 small and mid-sized businesses that depended on the firm for software tools were affected.
Per the Executive Order, the National Institute of Standards and Technology will release software supply chain security guidelines. Businesses should make sure that their vendors are following these rules.
Don’t be afraid to ask your vendors to show evidence that their products are secure and up to date. Using automated testing and keeping an accurate inventory are a few solutions that can ensure a protected supply chain.
Should I expect my vendors to share threat information?
Anytime an active cyberthreat could potentially put you at risk, your service provider should absolutely make you aware.
The Executive Order has explicitly prioritised this threat information sharing, which the government says is vital to speeding up response efforts. Contractors will now have to alert the corresponding agencies of any threats or attacks on the government’s end. Businesses should have that same expectation from their vendors.
Ensure your vendor has installed or will install zero trust architecture and multi-factor authentication, as federal agencies are required to implement those security measures. This makes all the difference, as multi-factor authentication blocks 99.9% of automated cyberattacks.
Are my vendors up to date on monitoring and compliance?
Section 4 of the Executive Order states that software developers who work with the government must comply with all the secure practices laid out in the order. That should improve compliance and monitoring throughout the industry, but you need to ensure your particular vendor falls in line.
Going forward, endpoint monitoring solutions should be commonplace for private companies, especially with so many teams working from home. Making sure your vendor can remotely manage software is essential to preventing the next cyberattack.
- The power of AI in accelerating growth
- Why developers are our best defence against cyberattacks
- Unified data drives the factory of tomorrow
- CTOs share advice to their 25-year-old selves
There are sure to be more questions as the federal government rolls out its cybersecurity protocols. Business owners need to stay informed on the shifting requirements so they can best know what guarantees they should be getting from their software providers to ensure end-to-send security.
For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!