Last Updated on July 25, 2024
Small to midsized businesses (SMBs) in the US defense industrial base (DIB) and other critical infrastructure verticals have an urgent need to improve their cybersecurity. The target of relentless attacks from nation-state adversaries, ransomware gangs, and other cybercriminals seeking to perpetrate industrial espionage or otherwise compromise highly sensitive data, these orgs are especially vulnerable and often ill-equipped to protect themselves.
How far along are DIB SMBs on their journey to Cybersecurity Maturity Model Certification (CMMC) compliance? What stumbling blocks are slowing their progress? And how can DIB SMBs succeed with realizing enhanced protection?
These are among the central questions benchmarked in Radicl’s unique DIB Cybersecurity Maturity Report 2024, which surveyed over 400 SMB IT practitioners in the defense supply chain. This article overviews 5 of the top insights from the report. It can help DIB companies compare their progress, gauge their competitive standing, and gain awareness of both good and not-so-good practices among their peers.
One: 56% of DIB orgs admit they still need 1 to 2-plus years to become CMMC Level 2 compliant.
An unexpected finding from the Radicl survey is that 36% of DIB orgs admit they still need 1 to 2 years to become CMMC Level 2 compliant and 20% will need over 2 years.
Why is this surprising given that CMMC Level 2 requirements don’t yet appear in US Department of Defense (DoD) contracts? Because DIB orgs that handle CUI have been required to comply with the NIST 800-171 cybersecurity standard for CUI protection since December 2016—and the CMMC Level 2 controls are identical to the NIST 800-171 controls.
Legally and contractually, anytime a DIB subcontractor sends an invoice, they are asserting to the marketplace that they are NIST 800-171 compliant. So why aren’t more of them CMMC-ready?
“I think this shows that compliance absent an enforcement mechanism, audit mechanism, and consequences doesn’t really move the needle,” observes Chris Petersen, CEO at Radicl. “Only when companies are going to be audited and held to a standard of ‘can’t do business anymore’ do they actually begin to move.”
Chris also acknowledges the prospect of DIB companies “over-reporting” their compliance scores in the DoD’s SPRS database despite the risk of False Claims Act actions.
With CMMC requirements less than a year away, many defense suppliers now face the choice to enhance their cybersecurity or get out of the DIB. Prime contractors are accelerating this process by pushing their subcontractors to demonstrate CMMC compliance prior ahead of the DoD’s timeline.
Two: Only 62% of DIB SMBs consider cybersecurity a high or very high priority.
Given that 56% of DIB respondents admit to knowingly violating contract compliance, it’s odd that only 62% of respondents consider cybersecurity a high or very high priority.
Is cybersecurity just not on the radar for the DIB’s senior leadership? Or have they decided to accept the risk of a data breach?
Chris relates: “We’ve had conversations where we’ve heard, ‘I can’t stop them. It’s too hard. I don’t have the resources to tackle this in any realistic way. So why even try?’”
Given the potential cost and complexity of achieving compliance and certification against a comprehensive standard like CMMC, it’s plausible that “security through obscurity” has remained a strategy of sorts for some DIB SMBs. But CMMC enforcement is meant to put an end to that gamble—which heaps unacceptable risk not just on individual SMBs but on US national security.
Three: 46% of respondents report cyber incidents costing $100,000 or more.
If more than half of DIB orgs are nowhere near being able to protect CUI, it makes sense that many of them would experience costly data breaches. For 46% of orgs, the cost was over $100,000. That is likely more than the cost to achieve NIST 800-171/CMMC Level 2 compliance and massively reduce cyber incident risk.
Among respondents that acknowledged being breached, 29% faced expenses greater than $250,000 and 12% reported costs exceeding $500,000. IBM’s Cost of a Data Breach Report 2023 found that organizations with under 500 employees endured average data breach impacts of $3.3 million.
These statistics represent huge, unexpected impacts to typical SMB/SME operating budgets. For SMB DIB leaders reading the report, the data plainly underscores the cost and risk advantages of implementing robust cybersecurity before a breach occurs.
Four: 71% of DIB SMB respondents outsource to an MSP or MSSP.
Like SMBs across industries, the great majority of DIB SMBs rely on IT outsourcing to help with cybersecurity.
“Outsourcing the more complicated functions of a security program is a requirement for this segment,” notes Chris. “These companies don’t have the staff or the budget to build their own SOC, for example.”
But with so many defense suppliers getting hacked and/or failing to implement even basic cybersecurity controls, how good is the support they’re getting from these partners? Likewise, how effective is their CMMC compliance guidance?
“It’s been challenging for MSPs/MSSPs to have a high-quality offering for this segment because they are so price sensitive,” Chris adds. “It’s especially hard to provide something that operates at a high level of efficacy when it comes to more advanced security operations like threat detection at an affordable price point.”
Addressing this price/performance disconnect with AI and other technology advances is a central competitive goal for Radicl and other innovators in the SMB cybersecurity space.
Five: 82% of respondents plan to change their cybersecurity provider.
The high percentage of respondents looking to move to a new cybersecurity service provider(s) directly illustrates DIB SMBs’ sweeping dissatisfaction with the return on their cybersecurity investments.
Another vector in this shift is a growing awareness of what SMBs need from an MSP/MSSP in terms of capabilities to protect sensitive data.
A further challenge could be the common SMB tendency to conflate cybersecurity and compliance. Cybersecurity is about finding the needle in the haystack (e.g., detecting threat signatures within log data). But compliance is about the haystack (e.g., managing piles of log data to prove ongoing, effective control operation).
Trying to achieve both aims with one product set can be problematic, especially at an SMB price point. Cybersecurity and compliance require different but overlapping skill sets as well.
“Analytics is expensive, because every single piece of hay you go look at, every indicator you look at, largely requires human involvement today,” says Chris. “That is where the game needs to be changed. And that’s where see AI advancements as being a potential game-changer in terms of the cost model for the SMB market.”
What’s next?
For more guidance on this topic, listen to Episode 140 of The Virtual CISO Podcast with guest Chris Petersen, CEO at Radicl.