The intersection of physical and digital worlds has undoubtedly changed the way we live, work, and play in recent years. From self-driving cars to smart buildings and the metaverse, this intersect is everywhere you look. Not to mention our global economy practically depends on networks and computer systems to function. As big business continues to tout the benefits of an interconnected world, black hats and cyberterrorists rejoice.
Hackers have been breaching servers for years looking for valuable data to exploit, but as our online world bleeds offline, attacks are becoming more tangible. Think disabled alarm systems, incapacitated access control readers, or overridden safety backups that lead to property damage and potential loss of human life, as well as huge losses in revenue as a result of physical damages, personal liabilities and cyber-extortion. These types of attacks are already a reality, and increasingly all too commonplace occurrences.
A malware attack on a German steel mill resulted in substantial property loss after the disrupted control system failed to shut down a blast furnace. The ransomware on our very own Colonial Pipeline system on the U.S. east coast resulted in financial losses to shareholders and consumers. And then there’s the rash of software vulnerabilities and subsequent cyber-attacks on virtually every leading manufacturer of security cameras that has triggered more problems than we are even aware of. As such events increase in their nature and frequency, governments, consumer groups, and insurance companies alike will be looking at those in charge to assign blame.
Analysts at the research firm Gartner predict that by 2024, 75% of CEOs will be held personally liable for security incidents that occur within their organization. Previously, punishments for organizations following a cyberattack were limited to loss of customer confidence, industry fines, and individual financial judgements. By assigning liability to an individual, the hope is an increased budget and focus on cyber-physical security from the top down.
“Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies,” says Katell Thielemann, Research Vice President at Gartner. “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure cyber-physical system (CPSs), drastically increasing rules and regulations governing them.”
While Europe already has the General Data Protection Regulation (GDPR) in place to mandate privacy and security compliance, the U.S. is not far behind with several directives in the works to address the need for heightened security infrastructure and spending. Many of these directives will impact executives and boards directly.
The emergence of cyber-attacks that pose a physical threat are here whether organizations are ready to address them or not. With new mandates enacted and attack-surfaces growing, organizations and their leaders need to act quickly to address their cyber-physical security framework.
The Past, Present, and Future of Security Policy
With infraction fines north of $20 million, the GDPR could be seen as a proof of concept for those looking to improve cyber-physical security habits in the U.S. The idea being, under the threat of fines and personal liability, organizations will invest more on cyber-physical security protections, which in turn protect people and critical infrastructure. Research completed by business advisory firm RSM UK in 2019 support this notion, finding that 68% of businesses across Europe reported investment in cybersecurity due to the GDPR requirements. These investments seem to be paying off, as 42% of companies agreed that the GDPR had made their business safer from cybercrime.
The European GDPR went into effect in 2018, immediately impacting how companies around the globe collect, store, and manage data. While the GDPR largely applies to personal data gathered online, data gathered from physical systems are not exempt. In fact, the first penalty levied against an organization for GDPR non-compliance was for video surveillance violations, underscoring the importance of cyber and physical protections. Using GDPR as a potential roadmap, the U.S. is beginning to examine how to standardize cyber-physical risk management and enforce security as a C-suite level priority.
Steps have already been taken stateside to promote individual and organizational accountability when it comes to cybersecurity. The Corporate Executive Accountability Act (CEAA) was specifically introduced to expand criminal liability to negligent executives of large corporations. If passed, executives of corporations found responsible for a data breach that affected the personal data of 1% of the American population or 1% of the population of any state would be found criminally liable and face jail time.
Conversely, the Consumer Data Privacy and Security Act (CDPSA) seeks to create federal standards and regulations for American businesses that collect, process, and use consumers’ personally identifiable data. Under the CDPSA, businesses would be required to develop and implement robust data security programs. While neither bill has passed yet, their introductions highlight the movement toward a national data privacy standard and ongoing push to hold individuals accountable.
Addressing Security Governance and Mandates
If they have not done so already, executives need to foster sharing of security information across the multiple teams that operate IoT or CPS systems to make each team more capable of addressing cyber threats. Moreover, the c-suite and corporate boards should more proactively gain an understanding of their company’s cyber and cyber-physical security infrastructure. Not just for compliance with mandates (although it certainly helps), but for the betterment of their business, employees, and stakeholders. Oh, and to keep their jobs.
About the Author:
Bud Broomhead is the founder and CEO of Viakoo.