November 27, 2017
Global industry has done it. It has built a vast network where the need for speed and hunger for information often put data protection on the back bench. Innovation has outpaced law, policy protection, and governance of data, as well as access to the most critical systems, including financial infrastructure.
Everything with which we interact in business and in general life is potentially connected to this vast and often unprotected network, exposing us to vulnerabilities and creating new ones. A thermostat or a refrigerator can provide unauthorized access to data. Social media can compel people to share personal information with millions of others. Before one knows into whose hands the data are falling, they can be used in nefarious ways or combined with other data to create dynamic knowledge bases of personal information that were never intended to be public. The data may be used to create profiles that give strangers unauthorized access to the accounts of the original data owners, leading to cyber intrusion and access to more data. Examples of this have dominated the headlines in recent months.
For businesses to change this dynamic, they must realize adequate protection from cyber-incidents is both policy based and rooted in prioritized allocation of resources. As a baseline, business should leverage cyber regulatory compliance, which is based largely on well-constructed frameworks and controls, from government standards organizations such as the National Institute of Standards and Technology, the International Organization for Standardization, and regulators like the New York State Department of Financial Services. But while this is a good start, simply complying with baseline requirements is not enough for real security.
Security in this context requires true risk management, beginning with a board of directors that has prioritized the company’s assets and ensures investment in cybersecurity protection is guided by the compliance and risk assessment work that regulators’ require.
Further, as the current cyber environment teaches us that a cyber-event will happen – not if, but when – companies must get prepared before an incident occurs. They must know how they will detect and respond to events and how they will protect their brand and reputation with constant and accurate messaging, both internally and externally. They must know how to be resilient and keep the business going, maintaining customer service and customer confidence, even while under attack. This requires business continuity planning and crisis management preparation, all of which is bolstered by assuring for regulatory compliance and establishing relationships with the business’s regulators to facilitate event reporting at the appropriate time. Unfortunately, a recent study conducted by IBM Security found only 25 percent of businesses have an incident response plan applied consistently across the organization. Twenty-three percent have no incident response plan at all.
Taking these actions can differentiate a business in three key ways:
- The business can be transparent with shareholders and customers that cyber resiliency is a priority and that protections are in place (for example, end-to-end encryption, or encrypting data wherever a customer travels so that if data is stolen it won’t be readable by unauthorized parties).
- The business can educate employees and customers about good cyber practices and the value of adopting stronger standards for data protection.
- When cyber misfortune does strike, being prepared to respond in a timely manner with a full response plan could actually generate positive headlines for preparedness.
Preparing for cyber incidents means the business will be resilient; it will have the ability to fight the attack and keep the business running well. However, this requires focus and investment when a company is not under duress. This means practicing for an actual event, just like teams prepare for a natural disaster or pandemic.
And while businesses must proactively prepare for cyber incidents, the legal and policy communities play a critical role, too, and need to make clear to business that investment in protection is a necessity, not simply a cost, particularly as the average cost of a data breach is $3.62 million
The legal and policy communities are the force needed to govern privacy, event response, event notification, and safety, as cybersecurity protects critical infrastructure in our electric, nuclear, transportation, and water systems. The earlier a potential cyber event is reported, the more rapidly that event and the markers that identify it can be shared to protect others.
Today’s environment requires that businesses fortify themselves and that government work with the business community so that it’s not criminals profiting from business innovation. The best way to do this is to leverage the required investment in regulatory compliance to drive a program of cyber resilience that will benefit the company and customers and frustrate cyber adversaries.
Dr. Phyllis A. Schneck is the Managing Director and Global Leader of Cyber Solutions at Promontory. Schneck spoke at Bloomberg Law’s Big Law Business Summit – West in San Francisco earlier this month.