Later this year, the Cyber Readiness Institute (CRI) is launching a suite of tools and resources to enable small and medium-sized businesses address key issues related to improving cybersecurity. Leading the development of this Cyber Readiness Program is Craig Moss. In addition to his work at CRI, he has extensive experience working with global value chain companies to better manage risks and improve compliance. In this Q&A, we ask Craig about the work behind the development of the Cyber Readiness Program.
- For those unfamiliar with your background could you elaborate on how you joined the Cyber Readiness Institute and your role at CRI?
My background spans a number of different areas that are relevant to our mission at CRI of helping SMBs in the value chain improve their cyber readiness. I headed an international business development consulting firm that worked in 30 countries. I’ve written guides for the World Bank and the United Nations on using management systems to reduce risks. I’ve worked with dozens of multinationals to measure and improve how they manage third party risk - and then help the companies in their supply chains improve their controls. Part of this work is understanding how to help small and medium-size businesses embed cyber readiness into how they operate – to develop a culture of cyber readiness. At the Center for Responsible Enterprise And Trade (CREATe.org), where I am the COO, I lead a cybersecurity advisory council consisting of 25 multinationals and universities. We developed a cybersecurity risk management maturity tool completely aligned with the NIST Cybersecurity Framework. I also do a lot of work on using a management systems approach to protecting trade secrets and confidential information. That experience is really helpful because one of the primary reasons we care about cybersecurity is to protect confidential information.
- When developing the content and tools how did you and the Cyber Readiness Institute team decide on the four key issues and your approach?
We targeted four key issues as being central to creating a foundation of cyber readiness: authentication, patching, phishing and use of USB drives. These are issues that a company of any size can address by focusing on the actions of people in their organization. Improvement can be made without needing to spend a lot of money on technology. According to our research and the comments of our member companies, if you look at the root cause of most cyber breaches, in more than 80% of cases, one of these four issues is at the bottom of it.
- Which of the four key issues (authentication, patching, phishing and the use of USB drives) do you think is most easily addressed by small and medium-sized businesses? Which issue is most complex?
At the most basic level, I think authentication is probably the simplest to address. We encourage organizations to start using passphrases instead of passwords. Passphrases are easier for people to remember. Initially, people in the workforce may complain because they are long, but using passphrases definitely reduces cyber risk.
In terms of complexity, it depends on the nature and structure of the organization. For example, patching is straightforward if it is managed centrally and people are all using company-issued devices. However, it becomes much more complex if you have people using their own devices and applications. If it is realistic to say no one can ever use a USB drive, that’s pretty straightforward. But in many companies eliminating USBs is impractical for certain roles in the organization. Then it becomes a much more complex issue. On a daily basis, phishing may be the most complex because the hackers are actively and aggressively coming up with new ways to fool people.
- CRI recently launched a pilot of the Cyber Readiness Program. What are you hoping to learn from the participating pilot companies?
We have 20 small and medium-sized businesses (SMBs) from 6 countries going through the Program to learn what works; and how we can improve the Program before the public launch on November 15. The online Program consists of five stages: Get Started, Assess & Prioritize, Agree & Commit, Roll-out and Measure Success. Participating organizations receive guidance on how to select their Cyber Leader. The self-guided Program provides the Cyber Leader with background on the issues, tips on building a culture of cyber readiness and documents they can download, like policies, training materials, posters and simple metrics.
During the pilot we are learning what content is most helpful and what we could add. We want to make sure it is at the right level of detail. This has some challenges because the pilot companies range from a 12-person investment management company to a 750-person manufacturer. We’re also tracking the Cyber Leader’s confidence level, the level of senior management support and the impact the Program is having in the workplace.
- From a content perspective, what is next after the global launch of the program later this year?
The Cyber Readiness Program we’re launching in November is phase one. It was specifically designed to help companies of all sizes get to a basic level of cyber readiness. Our focus right now is on refining the phase one program and establishing a broad network of distribution partners, so we can quickly reach as many SMBs as possible. Given the interest we are already getting from other countries, translating the Program and resources into relevant languages is one action item for early 2019. We’re exploring how to help companies sustain and build on the improvements they make in authentication, patching, phishing and the use of USBs. Other program development considerations are expanding the basic material beyond the four focus issues or developing content for SMBs that are starting from a higher cybersecurity maturity level.
To learn more about the Cyber Readiness Institute please contact Henry Vido, [email protected]