Let’s Begin
Today, cyber security is something that each business must pay attention to. Companies can no longer just purchase anti-virus software and feel that they have sufficiently protected their computers, network and most importantly the data that is used daily and is stored. Additionally, companies cannot take the view that they are using a third-party service or cloud services and therefore, they are adequately protected.
Currently, it is perfectly reasonable for companies to utilize outside assistance and the type(s) of assistance can change over time. However, while outside resources may be needed and utilized, an owner cannot take a hands-off approach and delegate cyber security responsibilities. The company’s owners must be involved. The owner needs to be aware of the programs, the threats, and current risks. The owner needs to be both the champion of cyber security efforts and a role model for staff. Owners and senior leadership need to be informed, involved and proactive in guiding these efforts.
The threats are very real. In some instances, there are active attacks. In other instances, a simple mouse-click can trigger a series of unintended consequences. Sometimes a system is not set up as it should be, or a security update is not installed. In all cases, such oversights can create an opportunity for attackers to exploit. The potential damages run the gamut from being an inconvenience to potentially causing a business to close the door and turn out the lights.
For companies interested in conducting business with the federal government, there is an expectation that their cyber security measures have been formalized and are sophisticated. Companies that intend to contract with the government need to be aware that they will likely encounter various types of sensitive information which are not intended for public release. This information has a specific purpose, and the intent is that only the government and the authorized users (contractors and subcontractors) should have access to it.
Consequently, the federal government has outlined its cyber security requirements in the Federal Acquisition Regulations (FAR), Defense Federal Acquisition Regulations Supplement (DFARS) and in supplemental references such as NIST 800-171 r2 and other specified publications.
A company’s efforts need to focus on the customer’s requirements, type(s) of information being handled, the systems being used, and whether the information needs to be shared. Lastly there needs to be an understanding of what cyber security measures are required and what risks/threats the company faces. Knowing what threats or risks are present allows a company to tailor its cyber security measures rather than create or use a “one size fits all” approach.