, , ,

5 Reasons Every Business Owner Should Care About CMMC

What is CMMC, and why should you care?  CMMC stands for Cybersecurity Maturity Model Certification.  It’s a new initiative implemented by the Department of Defense (DoD) to better protect critical defense information (both classified and unclassified).  Essentially, in order to do business with the government, you now have to prove you are taking cybersecurity seriously through this certification model.  While your business may not qualify for CMMC, there are five reasons you should care about what it signals for all businesses.

Last year, I had a few friends (not customers) privately reach out to me to discuss security breaches of different sorts.  As I advised those friends through their particular scenarios, I inevitably learned that they fairly easily could have avoided the security breaches altogether.  Of course, just as a doctor many times can easily diagnose common illnesses, the same often is true of a security advisor.  I’m careful not to chide my friends in these instances, because I certainly don’t want to add insult to injury.  Nevertheless, it is incumbent upon all business owners to take cybersecurity more seriously and to engage resources to help them before they experience a breach, not after.  How does CMMC do just that?

1. CMMC will inform regulated industries and critical infrastructure.

As CMMC is rolled out to Defense contractors, other regulated industries will take note.  Health and Finance industry regulators, in particular, will be interested to see how CMMC implementation can drive initiatives toward better regulatory controls.  How effective was the adoption of these new regulations?  How were DoD contractors able to soften the blow of the financial expense of implementing security requirements?  What lessons can other regulators learn about the rollout of new security regulations?  All these will be questions regulators will be employing to find ways to properly motivate businesses to hold themselves accountable to the personal data entrusted to them.

Here’s a sobering security stat:  According to CNBC, roughly 85% of America’s critical infrastructure is privately-owned.  This means that the oil pipeline shutdown from May of 2021 could be just the beginning.  As these regulations get applied to the private sector in regulated industry, they likely will translate to every business via more practical avenues, such as the insurance industry.

2. CMMC will inform cyber-insurance policy coverage

The increase in business security breaches is already pushing the insurance industry to raise rates and tighten controls.  According to Chainalysis’ Ransomware Update in May of 2021, ransomware increased at a rate of 4x in 2020 (from $92.94M in 2019 to $406.34M in 2020).  These increases are burdening the insurance industry with finding ways to better mitigate their risk.  One way of mitigating the risk is paying resources to work with law enforcement officials to recover and/or freeze the ransom payments before the malicious actors can benefit from them. 

Some insurance carriers have implemented security questionnaires that automatically deny coverage for those entities falling short on basic cyber-hygiene.  The natural result is higher cost of business for insurance companies which translates to higher prices for insurance coverage.  These increased prices and required security screenings will force businesses to take security more seriously.  The higher your operational maturity as it relates to security, the lower your insurance costs will be.  It’s that simple.

3. CMMC provides security best-practices for all businesses.

CMMC is built upon the NIST 800-171 guidelines.  These guidelines serve as best practices for all organizations, no matter what the size or industry.  Some of these practices are simple ones that you hear regularly, like don’t reuse passwords and use multi-factor authentication for your user accounts.  Some are not so obvious, though.  For instance, how many businesses have smart devices in your organizations (TVs, thermostats, alarm systems, Alexa, etc.)?  Are any of those devices on your primary business network?  Do you have a policy and process for how those devices get implemented in your business?  Do you routinely check your network for such smart devices?  The introduction of everything smart (IoT – Internet of Things) is going to complicate businesses security.  There’s no way around that.

4. CMMC practices give businesses the best chance to protect against ransomware and other attacks.

For far too long, bad actors have thrived due to ignorance surrounding security best practices.  These bad actors exploit and monetize the low-hanging fruit of security illiteracy.  Implementing the CMMC best practices approach to security not only makes it more difficult to successfully hack an organization, it also makes your business more resilient to successful attacks.  Securing a business is not only about defending against attacks but also being able to recover and continue operations in the face of one.  Those who ignore these best practices unnecessarily put their businesses at risk.  These risks, when compounded and exploited, pose existential threats to the affected businesses.  Those who do survive lose potential revenue from downtime, critical resources from cutbacks, brand reputation losses, and more.

5. CMMC best practices mitigate the monetization of security breaches.

The more businesses and organizations that implement security best practices, as found in the CMMC framework, the less opportunity exists for bad actors to monetize security breaches.  For instance, if you fall victim to a ransomware attack but you have ways to recover from that attack without paying the ransom, you directly impact the hackers’ ability to monetize their otherwise successful attack.  By reducing the ability for hackers to monetize these breaches, we collectively disincentivize (at least monetarily) the ransomware industry in particular.

Conclusion

In our industry, it’s principally difficult to explain to our clients why they need new security protections.  We want to educate our clients on cybersecurity without using scare tactics.  We don’t want our clients to think we are manufacturing new ways for them to spend money, while also informing them of new security implementations they need to consider.  Everyone readily admits that technology has drastically changed in the last five years. Nevertheless, it seems that few are interested in changing their five-year-old (or worse) approach to security. 

There tends to be a mindset of what’s the least we can spend and still be “secure.”  That’s a failed approach, though, because in truth cybersecurity is a moving target.  No final destination for security exists in our smart-everything world.  There is such a thing as cyber-maturity, though.  Cyber-maturity (an ever-maturing approach toward cybersecurity) is what will serve us best in this time.  CMMC can help us all have a more informed approach to security, and that’s ultimately why it should matter to every business owner.