Improve your Cyber Security! That’s a Presidential order!
Yes, you read that right, the President of the United States signed an Executive Order stating that the Federal government has to review and improve its Cyber Security – it’s a security journey if you will. While that may seem like a huge undertaking for the likes of the United States, there are key takeaways that every business should apply - and you do not have to have the budget of the government to do so!
Let’s look at a subset of this rather long, but truly important order:
“To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
“Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws”
“Establishing multi-factor, risk-based authentication and conditional access across the enterprise”
We’ve written about MFA and conditional access before. It’s very important and it’s part of the journey that the government is tackling right now. Notice how they call out “Zero Trust” and moving to secure cloud services such as SaaS, IaaS and PaaS. Lots to talk about here and Microsoft recommends these strategies as part of their phased approach on security:
How many boxes can your organization check off?
The US government knows that it can’t embark on this journey alone and so the order states that it must partner with top security providers to improve overall posture through the products and services they offer:
“Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”
Look at this recent CNN article highlighting the partnership in action:
Notice that all the top tech companies were mentioned (Google, IBM, Amazon) but one company pledged the most – Microsoft!
“Google said it would spend $10 billion on cybersecurity initiatives. IBM added it would begin offering more widely a secure backup service that is already being used by critical infrastructure operators. Microsoft said it would spend $20 billion over five years on cybersecurity initiatives, and pledged $150 million in support for federal, state and local governments seeking to upgrade their security. And Amazon's cloud computing division said it would provide free multi-factor authentication devices to US customers who spend at least $100 a month on average on Amazon Web Services.”
The article also highlights another key aspect for those who choose to stay at home, to not go on the security journey:
“Following the meeting, cyber insurance provider Resilience said it would require customers to meet a minimum standard of cybersecurity in order to receive coverage”
Why? Because they don’t want to pay out to those hit by a cybersecurity attack that could have been prevented with a few layers of security – the ones outlined by security leader Microsoft. Cyber insurance rates were already going up for organizations as reported by the US Government Accountability Office. Now your rates will continue to go up or you can get denied if you don’t act!
What can you do about it? What steps can you and your organization take to avoid cyber-attacks, damage to brand reputation, crippling ransomware, and costlier Cyber Insurance?
Take the Microsoft approach and go on a journey:
- Implement MFA
- Enforce conditional access policies
- Stop trying to defend yourself by yourself – move to the cloud
- Have a partner help you!
If you are reading this, let us help you with your journey. After all, do you want to be the person called out by this part of the Executive Order?
“Heads of FCEB Agencies that are unable to fully adopt multi-factor authentication and data encryption within 180 days of the date of this order shall, at the end of the 180-day period, provide a written rationale to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA.”
I for one wouldn’t want to tell (essentially) the President that we didn’t listen and couldn’t implement MFA. Talk to us and please be safe out there!