The Top Four Things Tech Manufacturers can do to Bolster the Cybersecurity of Target-Rich, Cyber-Poor Organizations

Schools, municipalities, and non-profit organizations contribute to flourishing communities by supporting civic life and democratic processes. 

Unfortunately, many of these “target-rich, cyber-poor” organizations find themselves susceptible to cyber intrusions by cybercriminals and advanced persistent threat actors because they lack the resources to adequately invest in cybersecurity talent, tools, and services. This can lead to the disruption of critical social services supporting civil society and put the information of vulnerable communities at risk of theft and/or ransom. 

Because many software manufacturers have not built their products in a secure by design manner, “target rich, cyber-poor” organizations are at a disadvantage. In many cases, they need someone with training and expertise to implement mitigations and securely configure products– a resource they can’t always afford. To make true progress in securing the organizations that lead to flourishing communities, technology manufacturers should keep the context and constraints of these end users in mind and ensure that organizations with varying levels of resources and technical expertise can deploy products securely. 

For product offerings that are heavily used by schools, municipalities, non-profits, and other “target-rich, cyber-poor” organizations, here are some general facts to keep in mind: 

• The organization may not have a dedicated full-time Chief Information Security Officer (CISO), or even an Information Technology (IT) Director. Therefore, products should be securely configured out of the box so that the burden isn’t on non-IT personnel to implement configurations correctly. 
• When serving K-12 institutions, you are serving an organization with users (who may have logins and passwords) that are just learning their ABCs. This should be reflected so that anyone can use a product securely without needing to be a cybersecurity expert.
• The Board of Directors or Council are often part-time volunteers who may have minimum reimbursement and often have other full-time jobs. Security is often not their primary focus or motivator. 
• IT budgets and allocations for cybersecurity are often limited.

Using this context as a guiding principle, the following four steps can guide software manufacturers to bolster the digital defenses of “target-rich, cyber-poor” organizations. 

1. Take CISA’s Secure by Design pledge to commit to building products that have security from the start and available out of the box. 
   • Launched this week, CISA’s Secure by Design pledge is catalyzing actions by leading technology manufacturers to take ownership of security outcomes for customers.
   • See CISA’s Secure by Design whitepaper for more information on what it means to be secure by design. 
2. Make it easy to use technology products securely for users of all skill level. 
   • Not every organization has a dedicated full-time CISO, IT Director, or even a team member with the technical background to understand a product’s security controls and their impact on the organization’s digital ecosystem. 
   • Industry should include a Customer Responsibility Matrix and simplified instructions as part of a product offering and implementation. For example, this is a requirement in StateRAMP’s security package for StateRAMP Ready and StateRAMP Authorization, as security relies on shared responsibilities. 
   • Ideally, end users shouldn’t need to take any steps to use a product securely. Consider reviewing hardening guides to lift the burden from users by making secure configurations the default. 
3. Contribute time and technical expertise to programs that support the cyber readiness of schools, municipalities, and non-profits. 
   • Industry subject matter experts can advise under-resourced organizations on cybersecurity best practices through participation in cyber volunteer programs. SeeCyber Volunteer Resource Center for more information on how to lend support to local and international cyber volunteer programs. 
   • Industry can also participate in programs, such as StateRAMP, Multi-State-Information Sharing and Analysis Center, NetHope, and others that provide shared resources to state, local, educational, and non-profit organizations. 
4. Develop a program that offers tools or services to “target-rich, cyber-poor” organizations for free or at a discounted rate. 
   • SeeFree Cybersecurity Services & Tools and help to grow this collection of cybersecurity resources for under-resourced communities that play a vital role in civic life. 

By taking these four steps to consider the cybersecurity challenges of “target-rich, cyber-poor organizations” and empower them to deploy products that are secure by design and default, industry can help raise the cybersecurity baseline of the organizations that promote flourishing communities. 

ACKNOWLEDGEMENTS 

NetHope and StateRAMP contributed to this blog. 

Disclaimer

CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services referenced or linked to on this page. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.