ABI conference shares top cybersecurity needs on the horizon
Before an organization can use technology as an asset to support innovation, it should have a foundation of cybersecurity protections and defenses in place to help prevent a breach of company data.
This was one key of the message shared during the Iowa Association of Business and Industry’s Manufacturing Conference, held on Oct. 2.
Jake Wagner and Mark Oliver of Creative Planning Business Services, a national financial adviser with four locations in Iowa, shared some IT and cyber security trends for companies to consider as they approach 2025. While many of the attendees were from manufacturing businesses, several of the trends apply across industries.
Here are their top trends and recommendations for the coming year.
Cyber insurance and security assessment
The top two ways companies can take immediate steps toward securing their IT infrastructure is by getting cyber insurance and having a third party perform a security assessment of the organization.
Wagner, a technology sales leader with Creative Planning, said a comprehensive cyber insurance policy is the closest thing to a “silver bullet” in managed IT.
But the increasing prevalence and complexity of cyber threats means getting a policy is a bigger undertaking.
“Four or five years ago, when cyber insurance was relatively new, you needed to answer about four questions. Today, it’s over four pages of questions,” Wagner said.
He said accuracy is essential because companies could be held liable for incorrectly filling out the forms.
There are more prerequisites to get a policy as well, like having an established incident response plan in the event of a breach.
Wagner said for those who already have cyber insurance, they should double-check that their coverage is not limited to the standard $50,000 rider. Often attached to the general liability policy, he said that would not begin to cover the expenses of recovery after a cybersecurity incident.
A third-party security assessment helps organizations understand what’s going well and areas to improve, Wagner said. Assuming most companies have a finite budget to put toward technology improvements, he said leaders can use the assessment results to create a multiyear roadmap and plan changes over time. As improvements and plans are implemented, he said companies should document them to show their progress and to reference in the case of a security breach.
An assessment evaluates security across the organization, including the internal and external facing technical network and systems, but also administrative policies and training and physical security like facilities and surveillance and administrative policies and training.
Companies receive a score after the assessment, and that helps leaders see how their security measures stand up against others both nationally and locally. This can also help determine how much to invest in new protections, Wagner said.
“We see this time and time again. It’s like you’re getting chased by a bear in the woods. How fast do you need to run? Faster than your friend, that’s it,” he said. “If you can be above the line of what good looks like, that bullseye on your back actually gets allocated to the next person that’s lower on the totem pole.”
CMMC compliance to affect manufacturing companies specifically
Cybersecurity Maturity Model Certification (CMMC) compliance is a system of standards used by the U.S. Department of Defense to ensure its contractors and subcontractors meet cybersecurity requirements to handle sensitive data.
The first iteration of the CMMC model went into effect at the end of 2020, establishing a five-year phase-in period. An updated program structure and requirements, CMMC 2.0, is currently under internal review.
Wagner said the program will have a widespread effect on manufacturers because it could apply to organizations that play a small part in the overall process.
Contractors will fall under one of three levels, depending on the information they are working with. One of the updates in the new model is aligning the regulations with the National Institute of Standards and Technology’s cybersecurity standards, which are widely considered the national standard.
Despite the level an organization falls under, Wagner said complying with the standards is a significant cost leaders should plan for.
“A question as you’re exploring this at an executive level is do you have any sort of CMMC requirements today? And over the course of the next 12 to 24 months, do you anticipate being required to be at a Level 1, Level 2 or Level 3?” he said.
Staffing and training
Wagner said he sees companies having success with co-managing their IT operations, meaning the internal resources are supplemented with some level of outsourced support.
He said it is not possible for one person to effectively manage all the systems a company has to maintain in today’s technology landscape, and outside support helps hold the internal IT team accountable.
Similarly, people across the organization should be involved in cybersecurity efforts to create a sense of investment. A recommendation for companies in the past has been to establish a committee that oversees progress and planning.
Companywide cybersecurity training remains one of the best defenses against a cyber incident, Wagner said.
“One of the best defenses you can have today is a smart user,” he said.