Infosec pros must help small businesses and non-profits boost their cybersecurity maturity to help bolster the overall security of enterprises and critical infrastructure, Cisco System executives told attendees at this year’s RSA Conference in San Francisco.
“The weakest link in your supply chain can bring down the entirety of your ecosystem,” Jeetu Patel, Cisco’s executive vice-president of security and collaboration, warned at the start of the conference Monday.
“We need security resilience, just like we need business resilience, because there’s a massive ripple effect” from a successful cyber attack.
He noted that Wendy Nather, head of Cisco’s CISO advisory team, believes there is a ‘security poverty line’ — a baseline minimum security posture that every company should maintain. Organizations that don’t have enough resources to maintain that level fall below the poverty line.
But Cisco believes when a firm drops below that level, it not only endangers itself, it also endangers the organizations it partners with.
“We want to make sure when this happens you don’t ignore the smaller companies, the not-for-profit companies that are participating,” Patel said, “because 60 per cent of small businesses that have a cyber attack go out of business in six months.”
Shailaja Shankar, senior vice-president of Cisco’s security business group, noted the 2020 ransomware attack against Blackbaud, which sells IT solutions to non-profits and charities, impacted over 1,000 organizations around the world.
Non-profits are definitely critical infrastructure, she said, noting many help victims of violence, feed hungry people, and assist victims of natural disasters.
Other small organizations also qualify as critical infrastructure, she added, such as small municipal water utilities.
The U.S. Justice Department has charged a man with allegedly attempting to access a computer controlling the disinfectant levels of a water system, she added.
Small firms and non-profits suffer from a lack of sufficient IT budget, lack of personnel with cybersecurity expertise, outdated software and hardware, and lack of influence in negotiating terms with cybersecurity vendors and suppliers, Shankar said.
She urged conference attendees to think about how those deficits can lead to cybersecurity issues that could spread beyond the walls of those organizations.
In March, Cisco announced a US$15 million grant to NetHope, a global consortium of over 60 nonprofits, to support their digitally-enabled programs.
“We must stand together,” Shankar said. “This interconnected problem requires an interconnected approach to solving it. Shared risk calls for shared defences. As an industry we owe it to each other. I feel it is our civic duty to do this.”
“If we don’t address the least prepared in the world, the most prepared will suffer,” Patel said.