The Federal Trade Commission (FTC) is the latest federal agency to issue broad regulations regarding cybersecurity breaches. The FTC approved an amendment to the Safeguards Rule expanding coverage to include non-banking financial institutions such as financial technology companies, mortgage brokers, credit counselors, financial planners, and tax preparers. Under the new notification obligation, these non-bank financial institutions covered by the FTC’s Safeguards Rule must report to the Commission any notification event (access to unencrypted customer information without the permission of the customer) affecting 500 or more consumers no later than 30 days after discovery of the event. The Rule goes into effect May 13, 2024. The Rule is in response to ever increasing cybersecurity threats facing businesses of all sizes—businesses that should have basic cybersecurity practices and information security policies in place to protect intellectual property, financial data, employee data and customer data—especially if that customer is the federal government or a regulated industry.
While this rule requires reporting after an event occurs, businesses should be focusing on adopting best industry practices to prevent the breach from occurring.
Cybersecurity In Defense Government Contracting
Core cybersecurity best practices of using a firewall and antivirus software, choosing multi-factor authentication, backing up the data regularly, periodic risk assessments, modification of information security programs based in part on those risk assessments, and regularly testing system controls should be standard operating procedure for government contractors.
The Department of Defense has released for public comment its proposed final rule for mandatory minimum cybersecurity standards under Cybersecurity Maturity Model Certification (CMMC) 2.0 listing three levels of cybersecurity. Enforcement of CMMC 2.0 protects sensitive defense information and national security assets and aligns with widely accepted National Institute of Standards and Technology (NIST) cybersecurity standards. Contractors must demonstrate compliance with CMMC 2.0 through self-assessments as well as utilization of CMMC Third Party Assessor Organizations (C3PAOs). Implementation will be over a period of time to allow contractors to adapt to the requirements.
While not included at this time, it is likely that contracts issued under the Federal Acquisition Regulation (FAR) will ultimately require the same cybersecurity requirements as Defense Federal Acquisition Regulation Supplement (DFARS) acquisitions geared toward Department of Defense contracts. Non-DoD contractors would be well advised to consider CMMC requirements when they make modifications and upgrades to their systems.
Examples of Cyber Attacks
While data acquisition is the most frequent reason for cyber-attacks, the methods used vary. While some hacking exploits weaknesses in software, most occurs through the acquisition of usernames and passwords that are poorly protected. Often, these credentials are obtained through:
- Watering Holes – Cybercriminals get control of legitimate websites without the owner’s knowledge and turn the authorized website into a malicious website.
- Phishing – Cybercriminals send a legitimate looking email to a recipient that either tricks the recipient into divulging log in information or downloading a malicious link/attachment that often includes ransomware.
- Man-in-the-Middle – Cybercriminals secretly establish communication link that effectively allows them to eavesdrop on communications between two parties and to make use of whatever information is passed between them.
Cybercriminals target companies of all sizes and almost 43% of cyber-attacks are primarily targeted at small companies. Putting basic cybersecurity practices in place will help you protect your business and maintain the trust of your customers.
- Protect Your Files & Devices – Update your software including apps, web browsers, and operating systems and virus protection software.
- Train users not to open messages from unrecognized senders, especially if they contain attachments, links, or downloads.
- Secure your files – Back up important files offline, on an external hard drive, or in the cloud and make sure you store your paper files securely. Be careful not to overwrite all of your backups since ransomware in particular often has a delayed activation for the express purpose of also covering your backups.
- Encrypt devices – Encrypt devices and other media that contain sensitive personal information.
- Use multi-factor authentication – Require multi-factor authentication (like a temporary code) to access areas of your network with sensitive information.
- Require strong passwords – Use passwords for all laptops/tablets/smartphones and do not leave devices unattended in public places. A strong password is at least 12 characters that are a mix of numbers/symbols/capital and lowercase letters. Also do not reuse passwords and don’t share them on the phone, in texts, or by email.
- Train all staff – Create a culture of security by implementing a regular schedule of employee training.
- Have a plan – Have a plan for saving data, running the business, and notifying customers if you experience a breach.
Currently, all 50 states have laws requiring covered entities to notify individuals of data breaches. Additionally, several sector-specific breach notification laws exist in the United States, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) all have customer notification requirements for breaches of individual data. Increasingly, states are enacting data privacy laws that deal with the protection of consumer information and provide penalties for the mishandling of information.
Per the 2022 Internet Crime Report produced by the FBI’s Internet Crime Complaint Center (IC3), the IC3 received 800,944 reported complaints with losses exceeding $10.3 billion due to cyberattacks on individuals, businesses and critical infrastructure. Accenture’s Cybercrime study reveals that 95% of cybersecurity breaches are attributed to human error, 43% of cyber-attacks are on small businesses, only 14% are prepared to face such an attack. Small business reportedly spends between $826 and $653,587 on cybersecurity incidents.
C2 is a Professional Employer Organization (“PEO”) that provides outsourced HR services to businesses across a variety of service industries with a focus on federal government contractors. Utilizing our PEO model allows our clients to transfer the responsibilities and liability of payroll, benefits administration, employee onboarding, and employee relations to C2 and to focus their attention on satisfying their clients and growing their business. C2 blog posts are intended for educational and information purposes only.
More information about C2’s PEO and other related HR services is available at www.c2essentials.com.