make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

The Government Shouldn't Have to Intervene in Cyber Security

01/21/2015  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

In last night’s State of the Union address, President Obama spoke on the urgency of cyber security for the United States and for the businesses on our shores. “If we don’t act,” said the President, “we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.” The administration plans to propose new legislation to combat cyber threats, including measures such as:

  • More effective sharing of cyber security information between organizations
  • Better tools for law enforcement to combat cyber crime
  • Federal breach notification standards

These are good steps. For cyber security professionals, it’s exciting to see our priorities receiving such prominent attention on the national stage (and not just because it is a boost to our job security). But as we look forward to potential federal actions on cyber security, I can’t help but think that it’s a sad state of affairs when the government has to intervene at all.

The state of cyber security

Today, data is everywhere. There is much more data – and that data is more mobile and easily accessible – than ever before. The collection, storage, and analysis of data has accelerated. Companies increasingly rely on remote access, cloud storage, and ubiquitous mobile devices to facilitate business and make it easier to work, but this proliferation of data has also made life easier for hackers. Now, major breaches are occurring on a regular basis, causing serious disruptions to businesses like Sony Pictures Entertainment and some of the nation’s largest retailers, as well as exposing the data of countless consumers. Cyber security is a serious challenge, to be sure. But at this point, it’s an indictment on U.S. businesses that they’ve been lackadaisical in their security measures for so long that threats have grown as large as they are today – and that the government now feels compelled to act because businesses have not done enough on their own to protect data and prevent breaches. Consider breach notification laws, which are on the books (in various forms) in 47 states. Most of these laws are relatively recent. One major difference in our understanding of the security landscape today versus ten years ago is that these laws now obligate companies to report breaches when they experience them. Breaches have been an issue for some time, but in the past, many companies would simply cover them up. Today, breach notification laws help consumers know whether their identity has been stolen or that they need to take specific precautions to protect themselves. By acknowledging the incident publicly, organizations are also pressured to improve their security and protect themselves more successfully from future attacks to avoid an impact on their reputation. But the problems go well beyond reporting breaches. In order to protect themselves and their customers, businesses will have to commit to robust, diligent cyber security. And all too often, it seems organizations are reluctant to do so unless required.

Better solutions 

Unfortunately, government security specifications like HIPAA have often tended toward vague or generic prescriptions for security, not going far enough to truly protect organizations and allowing companies to comply using a relatively minimal degree of security safeguards. This approach has led most companies to focus their security efforts on complying with the regulation rather than assessing and managing security risk effectively, and has left company executives with a false sense of security when their organization attains compliance with a regulation. It is likely that a federal breach notification law, to take one example, would go no further than the most stringent of the existing state laws, and on the whole, these laws could be a good deal more aggressive. What is the solution, then? For starters, lawmakers could look to industry-driven security specifications for guidance. The PCI Data Security Standards – a set of rules developed collaboratively by the major payment card brands and imposed on all merchants who accept their cards – is more specific, prescriptive, and restrictive than most government rules. It is also essential that businesses take the initiative on security issues, and here there is reason for hope. From high-profile breaches to a spotlight in the State of the Union, there is much greater awareness of security issues than in the past, and C-level decision-makers and board members alike are paying attention. It’s hard to find a senior executive who hasn’t been associated with an organization that has experienced a breach, and this may be a springboard for change. If more businesses commit to security, we may see the beginnings of real transformation, regardless of government involvement.

Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity.