Data Breach Digest: Cybersecurity must take priority during the next president's term
Soon the country will make a monumental decision – a new president of the United States will be elected. With this change in leadership, I am sure you are thinking: what will this mean for cybersecurity and the 21st century threats facing the country?
Among the many hot topics discussed during this year’s presidential debates between Donald Trump and Hillary Clinton, one tech issue has risen to the top – cybersecurity. Rightfully so, given the significant impact of cyber-attacks that target individual citizens and companies. In the relatively short time span of this year’s election cycle, we’ve seen an attack on the Democratic National Committee that the Obama administration accused the Russian government of executing. Additionally, Russia is suspected to be responsible for the attempted hacking of several state voter databases, including Arizona’s and Illinois’. These recent incidents, in addition to past mega-breaches like the Sony and OPM attacks, are the main reason cybersecurity was a hot debate topic this year.
Given the current breach environment, there is a clear need for coordinated, improved and strengthened cybersecurity efforts in the United States. Surprisingly enough, both Trump and Clinton have focused their rhetoric on enhancing the country’s offensive cyber capability, as well as establishing under what circumstances they would retaliate to an attack. Unfortunately, this neglects what is most important for hardening the U.S. from attackers: improving the security posture of our critical infrastructure and the private sector. It’s vital that the next president focus his or her administration on the defensive cyber capabilities to help protect our country from politically motivated attacks.
In the end, regardless of who gets elected, we must continue to push for initiatives that protect our critical infrastructure and corporations. While Congress has been slow to move on proposing data breach legislation despite the industry’s interest (see more here), that doesn’t mean that we should or need to sit on our hands in the meantime.
There are several steps that both the public and private sector can take to improve security and corporate cooperation.
NIST Cybersecurity Framework: Providing Best Practices
Companies should consider adopting many of the security best practices outlined in the Commerce Department’s National Institute of Standards and Technology cybersecurity framework. This framework, which was developed in close conjunction with experts in the industry, provides useful guidance on steps any organization can take to manage and reduce cybersecurity risk.
While the framework was originally developed to address threats faced by the public sector and organizations that own or operate critical infrastructure, adoption of the framework is still relevant and advantageous for businesses across all industries. It’s an inclusive tool that provides companies with a common language, helps them communicate their security risks from the server to board room, and offers customers an additional sense of assurance that investments in proper security standards have been made.
For the public sector, continuing to iterate this framework – one that broadly appeals and applies to all organizations – further enables organizations to determine their cybersecurity capabilities and improve their practices.
Investing in Critical Infrastructure Cybersecurity: Subsidizing Cyber Insurance
During Obama’s two terms in office, he has issued several executive orders highlighting important cybersecurity proposals that the next administration should continue to explore. One in particular that comes to mind for me is the efforts outlined in the Executive Order 13636. The order, signed in 2013, highlights the importance of offering a “menu of incentives” not only within sectors, but also at the corporate level to help mitigate losses due to data breaches, network damage and cyber extortion, among other benefits.
In particular, it calls for exploring how to incentivize the purchasing of cyber insurance for critical infrastructure providers, which can be a very important tool in breach preparedness. According to a recent Ponemon Institute study, only 38 percent of companies have cyber insurance. Receiving support for the development of a viable cybersecurity liability and insurance system from the administration as well as incentives and/or federal reinsurance programs to help underwrite the development of such programs – as outlined in the order – would better promote the use of coverage policies and eliminate some of the current roadblocks companies face, in turn, improving the country’s overall security health.
My hope is that the next administration will continue to explore ways to help the private sector protect itself.
Information Sharing: Collaborating With Corporations, Government and Industry Peers
Last but most definitely not least, businesses and industry sectors must continue to share more cyber threat intelligence with one another. Outside of Obama’s aforementioned order that did also call for an increase in cyber threat information sharing between the government and U.S. private sector entities, legislation has been a bit elusive in this area. With that in mind, this is an area where organizations can take initiative by first sharing information with each other, and also identifying ways to work more productively with law enforcement.
The good news? Companies are already making great strides through the sector-specific Information Sharing and Analysis Centers. These organizations allow companies to share the critical threat intelligence information needed to stop common threat actors, and adoption of these programs continues to increase. According to Experian’s annual preparedness study, 41 percent of organizations participate in an initiative or program for sharing information with government and industry peers about data breaches and incident response. However, that still leaves over half of organizations that are not participating. Given that businesses often get caught in the crosshairs of politically motivated attacks, this number should be 100 percent.
As we quickly approach the presidential election, the industry must understand that there’s a collective responsibility in improving our security posture and hardening the country from cyber attackers. Regardless of who is elected – democrat or republican – the security threats we face as a country will continue to evolve and advance. Ultimately, the most important step we can take as a country to defend ourselves is to join forces, collaborating each step of the way.
About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at [email protected].