The Rise of Ransomware: Why Every Business Needs a Cybersecurity Plan

man holding his head, with a computer with a ransomware alert on the screen behind him

Imagine waking up to the chilling message: “Your files are encrypted. Pay now or lose them forever.” This isn’t a dystopian movie plot; it’s the harsh reality of ransomware, a cyberattack that’s rapidly becoming a top threat for businesses of all sizes.

The Stats Paint a Grim Picture

In 2023, ransomware payments reached an all-time high of over $1 billion, according to Chainalysis. This exponential growth shows no signs of slowing down.  By 2031, experts project businesses will experience a ransomware attack every two seconds. The data is clear: no industry is safe, with attacks targeting hospitals, government agencies, and even small businesses.

Why Should You Be Worried?

Even if your business doesn’t handle sensitive data, the consequences of a ransomware attack can be devastating. Consider these statistics from the SOPHOS State of Ransomware 2023 report.

  • The average ransom payment in 2023 was $260,000. That’s a hefty sum for any business, especially small and medium-sized organizations.
  • Beyond the ransom, businesses incur additional costs for downtime, data recovery, and reputational damage. For instance, healthcare organizations collectively have experienced a loss of $77.5 billion since 2016 in downtime costs alone.
  • A single attack can cripple operations for days or even weeks, leading to lost revenue and productivity.

Don’t Be a Victim: Build a Cybersecurity Fortress

The good news is, you don’t have to be a sitting duck. By implementing a robust cybersecurity plan, you can significantly reduce your risk of falling prey to ransomware:

  • Educate your employees: Phishing emails are a common entry point for ransomware. Regular training empowers employees to identify and avoid suspicious emails.
  • Patch your systems regularly: Unpatched software vulnerabilities are often exploited by attackers. Make timely updates a priority.
  • Backup your data regularly: Having a reliable backup system allows you to restore your data in case of an attack, minimizing downtime and data loss.
  • Invest in security solutions: Antivirus software, firewalls, and endpoint detection and response (EDR) tools can help detect and prevent ransomware attacks.
  • Develop an incident response plan: Knowing what to do in case of an attack can minimize damage and expedite recovery.

Staying Ahead of the Curve

The FBI offers valuable insights into emerging ransomware threats and mitigation strategies. Additionally, CISA’s proactive approach like “pre-ransomware notifications” helps organizations identify and stop attacks before they happen.

Remember, cybersecurity is an ongoing process, not a one-time fix. By staying informed, taking proactive measures, and implementing a comprehensive plan, you can significantly reduce your risk of falling victim to ransomware and safeguard the continued success of your business.

Don’t become another ransomware statistic! Schedule a FREE cybersecurity consultation with Back To Business I.T. today to assess your vulnerabilities and build a customized plan to shield your business. Let our experts help you sleep soundly knowing your data and operations are safer.

Top 10 Cybersecurity Trends for 2024

Futuristic cybersecurity shield emblem superimposed on a circuit board highlighting modern cybersecurity trends and digital protection technologies.

The cybersecurity landscape is undergoing a seismic shift, driven by technological advancements, evolving threats, and a heightened focus on regulation. From the talent crunch in cybersecurity to the rise of Generative AI and the increasing importance of soft skills, the industry is bracing for a transformative year. This guide delves into the Top 10 Cybersecurity Trends for 2024.

1. The cybersecurity skills crunch will mean less people/higher costs for organizations.

One of the most critical challenges facing the cybersecurity industry is the talent gap. According to the Bureau of Labor Statistics1, the employment of information security analysts is projected to grow by 33% from 2020 to 2030. This rate of growth is much faster than the average for all occupations, highlighting the increasing demand for cybersecurity expertise. However, the supply of qualified professionals is not keeping pace with this demand, leading to a talent gap that poses a serious risk to organizations. For businesses, this can mean higher labor costs. In the next few years, scarcity will cause salaries to increase, and upskilling existing employees will require added costs for development and training.

2. Cybersecurity professionals will have increased need for soft skills.

While technical expertise remains a the primary focus for anyone working in cybersecurity, there will be a growing emphasis on the importance of soft skills for cybersecurity professionals. These include interpersonal communication, problem-solving, and emotional intelligence, among others. Effective communication will be crucial when explaining complex security issues to non-technical stakeholders so that decision-makers can understand how and why to take appropriate action. Indeed2 suggests that a blend of technical and soft skills will be the hallmark of the most sought-after cybersecurity professionals.

3. There will be more cybersecurity in board rooms.

According to a Gartner Report3, around 70% of corporate boards are expected to have at least one member with specialized cybersecurity knowledge by 2026. Another report from Moody’s4 reveals that company cyber budgets have jumped by 70% in four years. This significant increase in financial allocation is a testament to the escalating importance of cybersecurity at the highest levels of corporate governance. Boards are not just approving larger budgets; they are actively participating in discussions about how these resources are allocated and used.

As a result, the role of the CIO (Chief Information Officer) will become even more important

According to Info-Tech’s Annual CIO Survey Report For 20245, one of the top priorities for CIOs in 2024 will be to engage with the board on cybersecurity matters. This involves not just presenting technical metrics but translating these metrics into understandable, actionable business strategies. The recent SEC charges against SolarWinds serve as a stark reminder of the consequences of neglecting cybersecurity at the governance level. The SEC alleges that SolarWinds misled investors about its cybersecurity measures, leaving the company vulnerable to a significant cyberattack disclosed in December 2020. This event led to a sharp decline in the company’s value, underscoring the critical importance of taking cybersecurity seriously at the highest levels of an organization. And the SEC’s action in this case should act as a wake- up call for publicly traded companies that wish to avoid the same fate.

4. IoT (internet of things) cyberattacks will increase.

The proliferation of IoT devices, ranging from smart home appliances to industrial sensors, has expanded the attack surface for cybercriminals. According to InformationWeek6, security measures are not keeping pace with the grow of IoT technology, widening the security gap.  For businesses, one of the greatest vectors for threat is IoT devices used by remote and hybrid employees without proper security measures in place on devices used to connect to sensitive data. McKinsey7 notes that the lack of standardized security protocols is a significant concern, especially considering the IoT is expected to potentially be worth up to $12 trillion dollars globally by 2030.

5. More cybersecurity regulations are coming down the pike.

The newest regulations aim to safeguard national security and ensure economic stability by setting standards and guidelines for cybersecurity practices. In the United States, the 2024 defense bill has allocated $13.5 billion specifically for cyberspace activities. Notably, in the US financial sector, the SEC  has introduced new rules requiring companies to include cybersecurity risk factors and incidents in their financial disclosures set to take effect on December 15, 2023. In the UK, the Product Security and Telecommunications Infrastructure (PTSI)8 act was passed into law in 2022 and aims to regulate products capable of connecting to a network, such as IoT devices like networked CCTV cameras, with a compliance deadline of April 29, 2024.

Similarly, the EU is focusing on the cybersecurity of a product’s life cycle for IoTs that connect to a network by implementing the European Cyber Resilience Act (CRA). The CRA is designed to replace the existing European Union agency for cybersecurity ENISA.  It will oversee certification schemes for ICT products, services, and processes and is set to be officially released in 2024.

6.  Generative AI will continue to have long lasting impacts on cybersecurity.

The integration of Artificial Intelligence (AI) into cybersecurity is not a new phenomenon, but the advent of generative AI marks a significant milestone. One of the most concerning developments is the use of deepfake technologies for social engineering attacks. According to a report by Cyber Magazine9, the proliferation of deepfakes is causing increasing concern in the cybersecurity community. AI-generated synthetic media can impersonate individuals, manipulate content, and deceive systems, making them a potent tool for cybercriminals aiming to compromise business networks and data. Beside deepfakes, AI is contributing to more sophisticated phishing attempts. AI can be used to create more believable phishing emails with programs like ChatGPT, Bard, and Claude and to automate the process of sending these emails, making attacks more efficient and harder to detect.

On the flip side, advancements in AI are also empowering organizations to bolster their defenses. A Gartner report10 highlights the growing importance of Machine Learning in data science, including real-time anomaly detection. Additionally, AI-driven incident response mechanisms are becoming increasingly sophisticated. These systems can automatically isolate affected network segments, initiate predefined security protocols, and even communicate with human operators to provide real-time updates on security incidents.

7. You will see evolving, more sophisticated phishing attacks and the cost will be much higher.

Phishing attacks have long been a staple in the cybercriminal’s toolkit, and Humans are the weakest link in the chain. 95% of cybersecurity issues traced to human error11. The advancement of automated technologies and generative AI tools that can create more realistic and emotionally evocative phishing attempts is a large contributing factor on this front. Cybersecurity Ventures12 predicts that by 2025, cybercrime will cost companies and individuals over 10 trillion dollars worldwide.

8. Cyber warfare and state-sponsored cyberattacks will continue to increase.

Ongoing conflicts and significant electoral events around the world are expected to be flashpoints for cyber warfare activities. According to the U.S. Department of Homeland Security’s homeland threat assessment for 202413, state-sponsored cyberattacks are among the top threats facing the nation. Critical infrastructure sectors such as energy, transportation, and healthcare are likely to be primary targets. In 2022, one of the biggest attack types on infrastructure was remote management devices with a marked increase happening over the course of the year.  In the current geopolitical environment, the trend for cyber warfare shows no signs of slowing.

9. There will be a move towards cyber resilience as cyberattacks become more common.

Organizations will no longer be solely focused on preventing cyberattacks; they will also be investing in strategies to ensure operational continuity in the aftermath of an attack.  According to the National Institute of Standards and Technology (NIST)14, cyber resilience is “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” However, it is not a one-size-fits-all concept; it can be implemented at multiple levels, including individual system elements, entire systems, and even across organizations or sectors. As cyberattacks become more frequent, organizations will likely invest more in training programs, technological solutions, and governance models that support cyber resilience. The aim is to build systems that not only defend against cyber threats but also adapt and recover quickly when attacks occur.

10. The zero trust model will continue to evolve.

The concept of zero trust has been a cornerstone in cybersecurity, operating on the principle of “never trust, always verify.”15 However, the zero trust model, which relies heavily on static rules and policies, is becoming increasingly inadequate. According to Gartner16, the future of it will demand more dynamic and adaptive security measures to cope with the complexities introduced by emerging technologies and sophisticated cyber threats. One of the major shifts in zero trust will be the incorporation of AI for real-time authentication. AI algorithms can analyze behavioral patterns and other contextual factors to make instantaneous trust decisions. Beyond that, the zero trust model will increasingly incorporate continuous monitoring of user activity. This approach extends the security perimeter past the initial point of entry, continuously verifying the legitimacy of a user’s actions throughout their session.

The adoption of zero trust is on the rise. According to a 2023 report by Fortinet17, 67% of survey respondents have adopted zero trust network access but have struggled to implement the full suite of strategies.  In fact, in 2023, only 28% had achieved complete implementation – down from 40% in 2021. While there is an increase in the intention to adopt zero trust, the difficulties in achieving full planned deployment in the business environment require a higher degree of commitment.

Conclusion

As we confront the unfolding cybersecurity trends of 2024, it becomes clear that this year will be a watershed moment for digital defense. In an era where technological progress and cyber threats accelerate in tandem, robust and forward-thinking cybersecurity strategies are not just advisable—they are imperative. Organizations are called to bolster their digital ramparts with a blend of seasoned experts, cutting-edge AI technologies, and resilient operational blueprints that promise not just to endure but to dynamically counteract cyber incursions. The path to a fortified cyber future is complex and demands a unified front across all sectors and communities. It’s a path that companies like Back To Business IT are equipped to help navigate. Staying ahead of the curve and ready to act decisively will transform these emerging challenges into stepping stones for a more secure and resilient digital landscape.


1. https://www.bls.gov/OOH/computer-and-information-technology/information-security-analysts.htm

2. https://in.indeed.com/career-advice/career-development/cyber-security-skills

3. https://www.gartner.com/en/newsroom/press-releases/2023-03-28-gartner-unveils-top-8-cybersecurity-predictions-for-2023-2024

4. https://www.businessinsurance.com/article/20230929/NEWS06/912360168/Company-cyber-budgets-jump-70-in-four-years-Moody%E2%80%99s-

5. https://www.infotech.com/research/ss/annual-cio-survey-report-2024

6. https://www.informationweek.com/data-management/iot-technology-growth-and-security-trends-this-year-and-beyond

7. https://www.mckinsey.com/industries/technology-media-and-telecommunications/our-insights/cybersecurity-for-the-iot-how-trust-can-unlock-value

8.https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1037629/PSTI_FactSheet_1__Overview__1_.pdf

9.https://cybermagazine.com/technology-and-ai/the-rising-tide-of-deepfakes-as-ai-growth-cause-concern

10. https://www.gartner.com/en/newsroom/press-releases/2023-08-01-gartner-identifies-top-trends-shaping-future-of-data-science-and-machine-learning

11. https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2022.pdf

12. https://cybersecurityventures.com/cybercrime-damage-costs-10-trillion-by-2025/

13. https://www.dhs.gov/sites/default/files/2023-09/23_0913_ia_23-333-ia_u_homeland-threat-assessment-2024_508C_V6_13Sep23.pdf

14. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v2.pdf

15. https://www.nist.gov/blogs/taking-measure/zero-trust-cybersecurity-never-trust-always-verify

16 https://www.gartner.com/en/newsroom/press-releases/2023-10-17-gartner-unveils-top-predictions-for-it-organizations-and-users-in-2024-and-byond

17. https://www.fortinet.com/blog/industry-trends/zero-trust-report-key-takeaways#:~:text=In%202021%2C%2040%25%20of%20respondents,54%25%20in%20the%20previous%20survey

Don’t be a Statistic: Protect Your Manufacturing Business Against Cyberattacks by Establishing a Policy of Cyber Resilience

Last year, the United States faced a staggering financial toll of over $10 billion due to cyberattacks. Alarmingly, a considerable portion of these losses impacted the manufacturing sector, making it the second most targeted industry for cybersecurity threats. The concept of cyber resilience—preparing for, responding to, and recovering from cyber incidents—has never been more critical for manufacturers. In this blog, we offer a foundational guide for manufacturers to fortify their operations against cyber threats.

What is Cyber Resilience?

Defined by the National Institute of Standards and Technology (NIST), cyber resilience is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” Consider cyber resilience as the protective armor your company dons against cyberattacks. While it may not prevent an attack entirely, it can mitigate the damage and help your organization recover more efficiently.

Why is Cyber Resilience Important for Manufacturers?

While technological advancements are revolutionizing every sector, they also introduce new vulnerabilities. For manufacturers, this means an increased number of entry points for cyber threats. A Deloitte report reveals that 40% of manufacturers have fallen victim to a cyber incident, and 38% of these incidents led to financial damages exceeding $1 million.

Further emphasizing the urgency is research from Statista, which shows the manufacturing industry was the target of 23% of all cyberattacks in 2021, making it the second most targeted sector. The FBI’s Internet Crime Complaint Center (IC3) 2022 Internet Crime Report indicates a 20% increase in reported cybercrime incidents affecting the manufacturing sector over the past year.

Given these alarming statistics, cyber resilience is no longer just a security measure; it’s a business imperative or manufacturers. Building a cyber resilient manufacturing ecosystem can mitigate the impact of these threats, ensure operational continuity, safeguard sensitive data, and ultimately protect your financial health.

5 Essential Elements of Building a Cyber-Resilient Manufacturing Ecosystem

1. Risk Assessment

The foundation of a robust cybersecurity strategy lies in a thorough risk assessment. While it’s impossible to foresee every potential risk, identifying vulnerabilities in your manufacturing system is a critical first step. Leveraging established frameworks, such as NIST’s Cybersecurity Framework, can provide a structured methodology for this assessment. These guidelines are designed to be adaptable across various industries, including manufacturing, and can serve as a valuable roadmap for your organization.

2. Employee Training

The human element is often the weakest link in cybersecurity. According to the 2023 Verizon Data Breach Investigations Report, human error was a contributing factor in 74% of all data breaches. Employee training is not just beneficial but essential for bolstering cybersecurity in manufacturing.

The IBM Cost of a Data Breach Report 2023 further highlights the importance of employee training. Organizations that invested in comprehensive training programs saw a significant reduction in the average cost of a data breach—by as much as $1.5 million or 33.9%. This underscores the financial and operational benefits of incorporating cybersecurity into both employee onboarding and ongoing education.

3. Data Backup and Recovery

Data is the cornerstone of modern manufacturing, driving insights that enhance production efficiency and quality. Losing access to vital data can have severe repercussions, from production halts to financial losses and damage to your reputation.

A well-structured data backup and recovery plan serves as a safety net, enabling quicker restoration of operations in the event of a cyber incident. It’s not merely about preventing downtime; it’s about maintaining the integrity of your manufacturing processes and retaining customer trust. In essence, a robust data backup and recovery strategy is indispensable for any manufacturing company aiming for cyber resilience.

4. Incident Response Planning

IBM reports that only 46% of organizations have specific incident response plans for different types of cyberattacks. This leaves a majority of organizations vulnerable, lacking a structured plan should they experience a cyberattack. An effective incident response strategy should encompass preparation, identification, containment, eradication, recovery, and lessons learned.

NIST also offers valuable guidelines, suggesting that an incident response plan should be a set of instructions designed to detect, respond to, and mitigate the impact of cyberattacks against an organization’s information systems. Whether you consult with your internal IT department or partner with a Managed Services provider, implementing a comprehensive incident response plan is essential for safeguarding your digital assets and ensuring operational continuity.

5. Regular Updates and Proactive Patch Management

Outdated software is a glaring vulnerability, akin to an unlocked front door for cybercriminals. Software developers routinely release updates and patches to address security vulnerabilities. Neglecting these updates can expose your manufacturing operations to a myriad of risks, including data breaches and system failures, as emphasized by Stay Safe Online.

To bolster your manufacturing ecosystem, it’s imperative to have a proactive patch management strategy. This involves not only updating your software but also vigilantly monitoring for new vulnerabilities and applying patches as they become available. In doing so, you’re not merely patching up security gaps; you’re constructing a more resilient and secure operational environment.

Conclusion

The concept of cyber resilience—preparing for, responding to, and recovering from cyber incidents—is no longer optional; it’s a business imperative. From conducting comprehensive risk assessments and employee training to implementing robust data backup and recovery plans, incident response strategies, and proactive patch management, each component plays a critical role in building a cyber resilient manufacturing ecosystem.

These measures not only protect your digital assets but also ensure the continuity of your operations, thereby safeguarding your reputation and financial stability. If you find yourself overwhelmed by the complexities of achieving cyber resilience or simply wish to fortify your existing cybersecurity measures, don’t hesitate to contact Back To Business IT. Our team of experts is here to guide you through every step of the process, ensuring that your manufacturing operations are as secure and resilient as they can be.

5 Essential Cybersecurity Tips for Small Business Owners

Photo of Cybersecurity button and a person pressing on a graphic of a lock

In the modern business landscape, reliance on technology by small business owners is increasing, fueling both growth and efficiency. Technology tools add many essential benefits but also introduce complex challenges with cybersecurity. A survey conducted by Connectwise in 2022 revealed a startling trend: 76% of small businesses had fallen victim to at least one cyberattack, a significant surge from 2020 when only 55% reported such an experience. The data underscores the critical importance for small business owners to safeguard digital assets.

Cybersecurity is a vast and complex field, with numerous aspects for businesses to consider. The task of shoring up security may seem overwhelming and daunting. To simplify this challenge, here are five actionable steps to enhance small business cybersecurity.

1. Inventory Technology Assets

Begin with identifying vulnerabilities potential threats can exploit to access  business data. Understanding the technology, you have in your small business is the foundation of a robust cybersecurity strategy.

  • Why it’s vital: Knowing what devices are connected to your network helps you monitor and control access. Neglecting this can lead to unauthorized access, resulting in data loss or manipulation of sensitive information.
  • How to do it: Create a detailed inventory list of all devices, including their make, model, and purpose. Regularly update this list to reflect any changes.

2. Ensure Technology is Up to Date

Once you know what technology you have within your business, keep it current. Keeping technology up to date is a critical cybersecurity measure for small businesses.

  • Why it’s vital: Hackers often exploit known vulnerabilities in outdated systems. Keeping technology up to date ensures that you have the latest security patches. Failure to update can lead to financial loss due to cyberattacks.
  • How to do it: Regularly check for updates for your operating system, antivirus software, and other critical applications. Enable automatic updates where possible.
  • Checking for Updates: Most operating systems and software have an option to check for updates in the settings or preferences menu. For hardware, consult the manufacturer’s website or support for firmware updates.

3. Implement Multi-Factor Authentication and Unique Passwords in Your Small Business

Passwords and logins are often the first line of defense in small business cybersecurity.

  • Why it’s vital: Simple or reused passwords can be easily cracked. Multi-factor authentication adds an extra layer of security. Ignoring this can lead to reputational damage if personal or financial information is compromised.
  • How to do it: Encourage employees to use strong, unique passwords for different accounts. Implement multi-factor authentication wherever possible.
  • Understanding Multi-Factor Authentication (MFA): Multi-factor Authentication, also known as MFA or Two-Step Verification, is a security process that requires more than just a username and password to verify the user’s identity. Traditional authentication methods that rely solely on usernames and passwords are often inadequate, as usernames can be easily discovered, and passwords may be simple or reused across different sites. MFA adds an additional layer of security by requiring a second “factor” to prove who you are. This second factor can be something you know (like a password or PIN), something you have (like a smartphone or secure USB key), or something you are (like a fingerprint or facial recognition).
Image of Cybersecurity Multi Factor Authentication Types of Factors. Text reads, "Types of Factors: Something You Know (Examples: PIN, Password), Something You Have (Examples: Code sent by text, MFA app), Something You Are (Examples: Face scan, Fingerprint)

4. Install a Firewall for Your Small Business

A firewall is a fundamental cybersecurity measure for small businesses. Implementing a firewall can prevent DDoS attacks, which saw a 60% increase in malicious attacks in the first half of 2022.

  • Why it’s vital: Firewalls filter incoming and outgoing traffic. Without a firewall, networks are exposed to potential threats.
  • How to do it: Consider both software and hardware firewalls. Ensure that remote employees also have adequate protection.
  • Understanding Firewalls: A firewall is a crucial component of cybersecurity, especially for small businesses. It serves as a virtual barrier between your internal network and the external internet, monitoring and controlling the flow of traffic based on predetermined security rules. There are two main types of firewalls: hardware firewalls and software firewalls. A hardware firewall is a physical device that sits between a network and the internet, while a software firewall is installed on individual computers within a network.

5. Educate Staff on Cybersecurity in Your Small Business

Your employees play a crucial role in any small business cybersecurity strategy. In fact, according to Gartner, “82% of data breaches were a result of employee behaviors that were unsecure or inadvertent.”

  • Why it’s vital: Human error can lead to breaches. Educating staff about common cyber threats and safe practices can prevent many potential attacks.
  • How to do it: Conduct regular training sessions and education, including:
  • Workshops and Seminars: Regularly conduct workshops to educate employees about the latest threats and safe online practices.
  • Online Resources: Share informative articles, videos, and tutorials.
  • Simulated Attacks: Conduct simulated phishing attacks to test employees’ awareness and provide feedback.
  • Regular Reminders: Send regular email reminders about safe practices, updates, and company policies.

Cybersecurity is not just a concern for large corporations; it’s a vital consideration for every size business. By taking these five actionable steps, you can significantly enhance the cybersecurity posture of your small business. For a more comprehensive list of things you can do to protect your business, download our Cybersecurity Essentials Checklist for Small and Medium Sized Businesses.

At Back To Business I.T., we offer comprehensive cybersecurity services tailored to your needs. If you are looking for assistance with your cybersecurity strategy, contact us today.


Department of Defense prepares rollout of national cybersecurity standards

DoD cybersecurity standards

By Tyler Greenwood, Vice President of Back To Business I.T. (originally published in the Dayton Business Journal)


Cyber incidents like the SolarWinds attack in 2019 and the Colonial Pipeline ransomware attack in 2021 have the U.S. Department of Defense (DoD) taking urgent action to strengthen national cybersecurity regulations.

report released last November found most prime contractors (and their subcontractors) hired by the DoD in the last five years failed to meet minimum cybersecurity standards, putting U.S. national security at risk. Security gaps in the federal supply chain have been well known for years, but attempts to fix them have failed.

Enter: CMMC

In response to heightened security risks, the DoD introduced Cybersecurity Maturity Model Certification (CMMC) program. Its goal is to ensure any company involved in the federal supply chain is protecting controlled unclassified information.

Under CMMC guidelines, more than 300,000 contractors must meet 110 NIST SP 800-171 controls, which the government sees as a reasonable cyber risk management approach. In addition, 80,000 of these organizations must complete a third-party assessment and certification to continue bidding on defense contracts.

When will CMMC certification be required?

The DoD is expected to release a final rule on CMMC framework by March 2023, which means contractors could start seeing requirements in RFPs/RFIs as early as May.

If your business is one of the 80,000 contractors that requires an outside assessment and certification, you may have less than a few months to do so. Failure to achieve compliance before the published rule could mean leaving money on the table and losing the ability to do business with the Department of Defense.

Getting started

If your company is still in the beginning stages of CMMC compliance, the time to act is now. Preparation and implementation of the following requirements can take upwards of 18 months. To get started on compliance, contractors should immediately:

  • Work toward meeting the 110 controls in NIST SP 800-171.
  • Identify their Supplier Performance Risk System (SPRS) score.
  • Create a system security plan (SSP).
  • Document plans of action and milestones (POA&M) to demonstrate how you intend to close any gaps for controls not yet met.

Next steps

If your organization has already started on CMMC compliance, consider conducting a preliminary self-assessment to see if you satisfy requirements. This can provide a range of helpful information to ensure you have everything functioning as expected once you’re ready to formally self-attest or go for your official certification.

If your business wants consultative guidance, including assistance walking you through standards you didn’t meet, explaining why, and offering suggestions on closing those gaps, you might find it beneficial to work with a CMMC Registered Provider Organization (RPO), such as Back To Business I.T.

As a full-service I.T. firm and the region’s leading CMMC-AB RPO, Back To Business I.T. can help you achieve NIST SP 800-171 compliance as well as help you prepare your plan of action and milestones (POA&M) and system security plan (SSP) required for CMMC certification. Learn more at www.backtobusinessit.com/cmmc-readiness.

8 Spooky Cybersecurity Statistics To Help You Prepare For The Worst

cybersecurity statistics

A cyberattack is a scary event. It can shut down a business, cripple a government, and even incapacitate an entire country if the right measures aren’t taken to prevent it from happening.

THIS HALLOWEEN, WE BRING YOU EIGHT SPOOKY CYBERSECURITY STATISTICS THAT EMPHASIZE THE DANGERS OF CYBER THREATS AND URGE YOU TO PREPARE FOR THE WORST.
  1. 54% of small and medium-sized businesses (SMBs) say their I.T. departments are not sophisticated enough to handle advanced cyberattacks. (Sophos)
  2. As of February 2022, there were 8.77 million new pieces of malware circulating the Internet of Things (IoT) and mobile app stores. (AV-TEST)
  3. A ransomware attack takes place against a business every 14 seconds. (Cybersecurity Ventures)
  4. 91% of SMBs haven’t purchased cyber liability insurance, despite awareness of risk and the likelihood that they would be unable to recover from an attack. (Cybersecurity Magazine)
  5. Almost 89.7% of US businesses saw at least one successful cyberattack within a 12-month period. (CyberEdge Group)
  6. 53% of business leaders agree that remote work has made it much easier for hackers and cybercriminals to take advantage of them. (Norton)
  7. 50% of data breach incidents involve phishing and social engineering. (Trustwave)
  8. On average, only 5% of companies’ folders are properly safeguarded. (Varonis)

A large number of organizations still remain unprepared for a cyberattack – please be proactive and prepare now by contacting us – we can implement multi-factor authentication, roll out company-wide security training campaigns, and implement policies and procedures to help you keep your business and sensitive data protected. Don’t become a cybersecurity statistic!

What to Expect When Applying for Cyber Insurance

cyber insurance
Several years ago, cyber insurance was just an add-on to larger policy discussions, but with the rise of malicious online attacks, it’s jumped to the forefront and has become one of the most expensive policies under a company’s insurance coverage. Here’s how to ace your application and get the best rates.

Cybercrime is a multibillion-dollar industry. Even with careful security measures in place, it remains a constant struggle for businesses to stay one step ahead of hackers looking to extort them. Phishing emails, malware, security breaches, network security issues, and computer system breakdowns are just a few examples of the kinds of cyber risk that can cause serious liability or revenue loss. That’s why proper cyber liability insurance remains a vital risk-transfer tool for organizations of all sizes.

For businesses attempting to acquire cyber insurance, the application process itself can be daunting. Application forms aren’t standard and can be very complex — what used to be a seven-question application has evolved over the last few years into a multi-page document broken out into various categories. Truth be told, it can read less like an application and more like an audit questionnaire. (Check out a sample cyber insurance application here.)

Insurers want to be as thorough as possible when evaluating an organization’s cybersecurity infrastructure and deciding their level of risk. They depend on the detail contained in the application to determine how well the people, processes, and technology can protect and respond to cyber threats. Any vagueness or incorrect information can create major issues later on if (or when) a claim is filed.

If you’re planning on applying for cyber insurance, it’s important to identify your company’s cyber risks prior to submitting the application. Specifically, insurers will ask for:

  • The basics — What industry you operate in, as well as how much and what type of information your organization stores, processes, and transmits. In addition, underwriters want to see how you manage data security and who oversees cyber-related matters.
  • Information security — Do you have a formal program in place to test and audit security controls? Underwriters also typically look to see if you have basic controls in place, including firewall technology, anti-virus, and intrusion detection software.
  • Breach history — Have you been breached before? Is the data you house vulnerable? How effective are your data security techniques moving forward?
  • Data backup — Underwriters want to know if you back-up all your valuable data on a regular basis, if you utilize a redundant network, and if you have a disaster recovery plan in place.
  • Company policies and procedures — What type of cybersecurity and incident response policies do you have in place? For example, how do you handle password updates, the use of personal devices, and revoking network access to former employees?
  • Compliance with legal and industry standards — Failing to comply with cyber-related legislation can be incredibly costly, and insurers want to know how you handle compliance. Specifically, whether you are compliant with applicable regulatory frameworks, are a member of any outside security or privacy groups, or utilize out-of-date software and hardware.

Although the cyber insurance application is more rigorous than most insurance applications, you can secure the best rate by doing your due diligence and prepping ahead of time. Being honest about the risks and vulnerabilities your company may face from cyber threats will also help you get the right policy coverage.

Need help applying for cyber insurance or meeting specific criteria? Talk to an expert at Back To Business I.T. today!

CMMC 2.0 Updates

cmmc 2.0 updates

WHAT IS CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) was introduced by the U.S. Department of Defense (DoD) on January 31, 2020 to ensure the protection of sensitive unclassified information or controlled unclassified information (CUI).

Originally, the CMMC framework had five levels of cybersecurity maturity (basic to advanced/progressive) and affected more than 300,000 defense contractors. However, on November 4, 2021, the DoD formally announced the CMMC 2.0 framework. This updated version seeks to simplify the model and reduce compliance costs by streamlining the program and scaling back the requirement that all defense contractors obtain third-party certification of their cybersecurity capabilities. Under CMMC 2.0, about 80,000 contractors will have to undergo third-party assessments while contractors at non-critical CUI levels are able to self-certify. Additionally, contractors who are not yet in full compliance with applicable cybersecurity requirements will be permitted to perform less sensitive contracts if they make a Plan of Action & Milestones (POA&M) and commit to completing the remaining requirements within specified dates. These changes are reflected in the diagram below (published by the DoD):

WHAT ARE THE NEW LEVELS?

1️⃣ Level 1 (Foundational) only applies to companies that focus on the protection of federal contact information (FCI). It is comparable to the old CMMC Level 1. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. These controls look to protect covered contractor information systems and limit access to authorized users.

2️⃣ Level 2 (Advanced) is for companies working with controlled unclassified information (CUI). It is comparable to the old CMMC Level 3. CMMC 2.0 Level 2 (Advanced) requirements will mirror NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC. Instead, Level 2 aligns with the 14 families of security requirements and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI. Accordingly, the 20 requirements in the old CMMC Level 3 that the DoD had imposed were dropped, meaning that the new Level 2 (Advanced) is in complete alignment with NIST SP 800-171.  Identified within DoD contracts under DFARS 252.204-7012 clause.  DoD is still working to define the “critical” CUI information.

3️⃣ Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on the DoD’s highest priority programs, estimated to be about 600 companies. It is comparable to the old CMMC Level 5. The DoD is still determining the specific security requirements for the Level 3 (Expert), but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.

WHEN WILL CERTIFICATION BE REQUIRED?

The DoD is in the rulemaking process and negotiations with the CMMC Accreditation Body, which is expected to take an additional 9-24 months. While these rulemaking efforts are ongoing, the DoD is suspending mandatory CMMC certification, however, it is strongly recommending defense contractors act now and get CMMC assessed/certified to minimize the risk of DIB companies exposing sensitive unclassified information.

HOW TO GET STARTED

Defense contractors looking to start their CMMC compliance journey should look into meeting the 110 controls in NIST 800-171 as soon as possible, as preparation and implementation can take up to 18 months or more.

Not only can we help you achieve NIST-SP 800-171 compliance, but we can also perform a comprehensive gap analysis and determine your current SPRS score.  Then work with you on a plan to resolve areas of non-compliance. As a full-service I.T. firm, we can also implement solutions to address gaps so you are ready for CMMC certification and future audits.

CONCLUSION

CMMC 2.0’s cybersecurity standards will better arm the DoD in its efforts to defend against cyberattacks that threaten U.S. critical sectors. But it’s clear that the DoD cannot wait for CMMC 2.0 formalized assessments to improve cybersecurity in the Defense Industrial Base. While the CMMC 2.0 requirements work their way through the federal rulemaking process, enforcement of federal cybersecurity regulations governing defense contractors has stepped up. If you’re seeking future business with the Department of Defense, it’s important you get started on the compliance path right away.

Skip to content