Majority of US Defense Contractors Not Meeting Basic Cybersecurity Requirements Security

5

u/deadsoulinside Dec 01 '22

That's unsurprising, most people don't understand how the internet works, huge portions of it run on vastly outdated tech, most of it is defenceless, places that aren't defenceless almost certainly have entry points, and places that have neither probably publish the data needed for a breach on some form of social media

But that's more expected for your average Small-Mid business, versus a company that has a contract with the government.

Most of the small-mid businesses can't possibly think of why a bad actor would want to hack their company, so blow off any realization they could be compromised pretty badly. Only until something like ransomware or more common, a controllers account being compromised and their email address being used to request payee's to send the funds to a "New account" and sometimes not even then does that stop a few from sending the funds elsewhere.

Whereas with being a government contractor, you should be always vigil and aware that a person with malicious intent will always look for the weaker chains, like contractors to attempt to gain access to any and all systems. But from reading the article, it does appear that many don't have the proper resources in place, but from working in IT many years, all the CEO's see is cost savings by not spending an additional 100k+ a year on site-wide security for their systems. Not to mention additional costs for extra staffing just for this purpose of incident response.

Even small-mid businesses have responded "Why should we change anything? we have not had an incident in 20+ years" to only have their foot in their mouth the following week when Barb from accounting called the "Your IP address has been reported for XX reason" number on her screen. Then allowed a 3rd party remote viewing software to be installed on her system, because the CEO advised the IT department years before to make Barb a local admin on her machine.

Even a site hit 2x with ransomware still not seeing it as bad, because each time they just have IT fix the infected computer, restore shared files from the most recent backup, regardless if this means employees working hard to update their data for the last 24-48 hours since the last backup.

Why spend anymore on even a product like SentinelOne that could mitigate and attempt to recover the data ASAP, versus having servers offline for days while everything is being worked on on site to recover and restore services? They will still see their 3rd party IT bill of 10k or whatever being a win versus 25k+ a year in a complete endpoint solution being deployed across all computers and servers.

The biggest issue with both sides (CEO's and Internal IT or MSP's they may contract with for products and services) is most don't work nearly as hard as they should to be proactive with their security, only reactive responses once someone messes up.