Cybernance’s Mike Shultz outlines what enterprises should consider priority when keeping internal assets safe online – and it’s not what you might expect.
Simple – a word that’s easy to say, but much more difficult to make a reality in the world of online safety. In the wake of the recent, massive breaches affecting nearly every household in the U.S., consumers are more skeptical than ever of their personal online security when interacting with brands, government agencies, and everyone in between. This month, I’m using the platform of National Cybersecurity Awareness Month to call on all organizations to take their internal security controls more seriously than ever before, all in the name of securing consumers, the nation, and their own bottom line.
I admit I have a personal ax to grind on this subject. My identity has been breached many times, including in the 2015 OPM breach, that I feel like my personal privacy is an ongoing joke. The bad guys got everything, including my digital fingerprints. In return, I got ten years of credit monitoring. Then came the Verizon breach, the FDIC breach and now Equifax, all of whom failed to employ the most rudimentary internal security controls, offering up my personally identifiable information, along with 143 million other Americans, to the bad guys. Like fingerprints, this is information you can’t realistically change: birthplace, birthday, Social Security Number, full name, and mother’s maiden name. They got it all. Free credit monitoring for a few years isn’t going to fix the core issue, which will one day bring down the Negligent and Irresponsible of commercial enterprises, credit reporting agencies, and government entities.
It suffices to say the need for cyber governance and internal controls is well past “timely” for simple online security, but businesses must dedicate themselves to basic foundations of online security within their own virtual walls knowing the outer perimeters are well protected. The external perimeter is where, historically, the money is spent, technology is implemented, and monitoring is done fairly regularly. It’s the inner workings of an organization that needs attention – where people who are not in IT and security work and participate in an uncontrolled and unmonitored capacity.
Only in the last few weeks have we all been feted to the announcement of Equifax’s breach to the tune of 143 million individuals and almost every household in the U.S. All of this was swiftly followed by the termination of the heads of information and cyber security, and now the CEO has “retired.” Largely overshadowed by the Equifax breach is the stunning announcement that the Securities and Exchange Commission (SEC) was breached, in 2016 no less, but the agency saw no need to advise the public of this failure to protect such highly sensitive data. As a government watchdog, the SEC requires public companies to provide financial reports and forward-looking comments before it makes such information public. The SEC insists upon its good stewardship of such advanced, confidential information, but as it turns out, those super secret financial reports from public companies aren’t as protected as the SEC would have them believe. The ink isn’t even dry on the SEC breach, and now Deloitte, a big four accounting and consulting firm, announces their involvement in a breach of federal government records, email addresses and private information. The irony of organizations most expected to have total control and security suffering from the largest data exposures in history is not lost, but also certainly not a joke.
While we haven’t yet seen the agency heads or executive fall out at SEC and Deloitte, there are calls to have such issues addressed with something more than an” early retirement.” It’s the easy way out by a board of directors to show they are “taking action.” In reality, ex-CEO of Equifax Richard Smith and his $18 million-dollar retirement package are completely unaffected by a breach predicted to critically harm the lives of millions of Americans.
Simply put, each of these breaches was a complete breakdown of cyber secure people, policies and processes, where in many cases protocols for cybersecurity don’t even exist to have a chance at non-compliance. So, how simple is it really to secure a company and its sensitive information, and what can be done to get enterprises on board with the people, policy and procedure best practices needed to secure not only their organizations, but also the nation?
The government has done good work in support of commercial enterprise security, largely found in its development of the National Institute of Science and Technologies (NIST) Cyber Security Framework (CSF). This framework was developed with guidance from NIST and input from thousands of professionals to become the leading cyber security framework in the industry at home and across the globe. The Australian Securities & Investments Commission considers the U.S.’s NIST CSF to hold particular relevance as a standard to manage cyber resilience among its financial service providers that operate globally. The NIST CSF’s status as a de facto global benchmark justifies the requirement of its use by all federal agencies, and the most enlightened commercial enterprises have made the NIST CSF the gold standard for cyber maturity. To add to the incentives for use of the NIST CSF, in 2004, Congress passed the SAFETY Act. It provides protections for companies and its officers and directors, including immunity from third party actions if a SAFETY Act designated product is utilized in support of NIST-based cyber maturity and resilience.
Alongside reference to NIST CSF, there are simple steps organizations can take to become more cyber resilient and vigilant.
- Use SAFETY Act designated products in support of cybersecurity assessment and monitoring.
- Regularly analyze, assess, monitor and report cyber maturity across the entire organization.
- Provide cybersecurity training for new employees, and annual training updates to current employees.
- Develop clear and actionable policies and processes for cyber security across all departments, and include third party vendors.
- Conduct regular, unannounced testing to understand and repair your internal weaknesses.
- Create a cyber-conscious culture across the entire organization where employees are empowered to raise issues and toe the line in the name of maximum cybersecurity and protection of internal and customer data.
- Most importantly: Leadership, CEO’s and boards of directors, must walk the cyber risk governance talk, putting it on its rightful mission-critical pedestal.
With an eye to these priorities, organizations can ensure their very existence and support their own important piece of the nation’s economic cyber defense.