As we end the first work week of the 2021 Cybersecurity and Infrastructure Security Agency’s (“CISA”) Cybersecurity Awareness month, this week’s theme, #BeCyberSmart, brings us to an important axiom in creating cyber resiliency: no one organization can meet the information security challenges it faces alone. For larger organizations, this axiom may not create much of a challenge as they often have resources to engage best-in-breed partners in securing their systems and then testing that security. For the rest, they are left to examine the cost-benefit analysis of either directing resources to operations, sales, or marketing, or toward improving their security posture on their own. In this analysis, however, security often loses out, seen as a cost center only, not a way to build an organization’s resiliency, brand, or internal engagement.
Fortunately, there are options for those organizations within the ambit of “critical infrastructure” as identified and defined pursuant to Presidential Policy Directive 21 (PPD-21). Under PPD-21, critical infrastructure has been scoped very broadly, encompassing 16 different sectors covering broad portions of our overall economy. Sectors commonly understood as critical, such as transportation, energy, and water, are included, but so are other sectors not so commonly understood as critical, such as the commercial facilities sector, which includes shopping, business, entertainment, and lodging.
There is no comprehensive listing of what organizations qualify as critical infrastructure and what organizations do not, and this flexibility can work to an organization’s advantage, when it wants to #BeCyberSmart. This is because CISA, in conjunction with this year’s Cybersecurity Awareness month, is spreading the word on services it offers—free of charge—to critical infrastructure organizations, to help build a more resilient cyber posture. These include a cybersecurity evaluation tool, as well as a suite of cyber hygiene services, including items an organization would normally have to pay for, such as vulnerability scanning, web application scanning, phishing campaigns, and remote penetration testing. Indeed, even if an organization is already receiving services like these from a trusted commercial partner, it behooves the organization to consider getting another set of eyes to look at the same issues, especially when those eyes belong to an organization with the resources and visibility of CISA. And after all, when it comes to getting good support in protecting your systems, nothing beats free.
And there is no harm in asking. CISA’s philosophy in providing these services is that if one of us is at risk, we all are at risk, in some fashion. Certainly, there are limits to how broadly the definition of critical infrastructure can be understood, but CISA is definitely there to help, and an organization that did not previously understand itself to be either critical or infrastructure may find that CISA thinks it is. If there is anything the COVID-19 pandemic has taught us, it is that many smaller organizations, or those thought of as mundane, are truly critical to our safety, security, and way of life.
So as your organization plans its security efforts for 2022, keep in mind that security truly is a team sport, and CISA wants to be on your team. Even if an organization does not engage with CISA for any of these services, having a relationship with your regional CISA office can provide quick and reliable intelligence when improving your cyber posture or when responding to an incident.
If you have any questions regarding this LEGALcurrents, please contact any member of the Privacy and Data Security group at 585.232.6500 or 716.853.1616.
Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2021 Harter Secrest & Emery LLP