- - Wednesday, December 16, 2015

ANALYSIS/OPINION:

Whenever you turn on the TV, open the newspaper or listen to the radio, inevitably there will be some story about a hacking incident, data breach or an individual’s privacy being compromised when a company has had their servers hacked. Yet for many of us, our mindset has not kept up with the changes to truly comprehend the implications of the connected world — and that goes especially for the decision-makers in the private and public sector in a position to do something about it.

For business leaders, protecting against cyberthreats means gaining a greater understanding of their organization’s digital infrastructure and how it operates on a day-to-day basis. For policymakers in Washington, it means finding the right balance between requiring private-sector disclosure of data breaches while maintaining the data privacy of their customers.

As Republican Rep. Will Hurd of Texas put it, “One of the biggest issues that we need to deal with, both in government and in business, is the evolving nature of threats.” Mr. Hurd is correct — there is no one-size-fits-all solution to improving cybersecurity. But with the recent introduction of the Einstein Act of 2015, he is proposing some important steps to address the threat.

The Einstein Act will improve the U.S. government’s cybersecurity. But it would behoove business leaders to follow Mr. Hurd’s lead by introducing protocols for their own companies on how to respond to and defend against a cyberattack and breach. With manufacturers connecting heavy machinery to the industrial Internet through the use of sensors, security becomes all the more important.

The data gathered by these sensors is making businesses smarter and more efficient, but it is also making them more vulnerable to attacks by foreign governments, professional hackers and for those who are interested in espionage for their own personal gains. To avoid this unfortunate scenario, businesses must rethink their approach to cybersecurity with a well-defined plan that is always evolving and responding to the latest threats.

A comprehensive cybersecurity plan that both mitigates risks and is proactive with disclosure will help businesses avoid the “Oh, that just happened” moment. When a company is hacked, the plan would kick into gear, and the proper disclosures would be made to users, shareholders and authorities in a timely manner without delay.

Each and every company that interacts with the public and collects data on its users should be required to publicly share its disclosure plans in the case of a breach. Transparency is the key to building and maintaining trust with the individuals who interact with the business.

In that spirit, Republican Rep. Marsha Blackburn of Tennessee and Democratic Rep. Peter Welch of Vermont have introduced the Data Security and Breach Notification Act of 2015 to standardize the process of reporting a security breach to affected U.S. residents, which would make it easier for business to comply with the law while continuing to maintain trust with their users.

Ms. Blackburn, who has described cyberspace as “the battlefield of the 21st century,” says the American people “deserve to know that their personal information is safe and secure.”

For larger breaches involving more than 10,000 users, the legislation would require businesses to notify the proper authorities — the Federal Trade Commission, Secret Service or Federal Bureau of Investigation — as well as consumer reporting agencies. Importantly, businesses would also have access to an online educational resource at the Federal Trade Commission to get help in crafting a cybersecurity plan.

Instead of waiting for Congress to act, business leaders should prepare for the worst — while hoping for the best — when it comes to preventing a cyberattack or data breach. It’s not a matter of if, but when, as companies large and small are potential targets. Some companies today may not even be aware that their systems have already been compromised.

To avoid this scenario, business leaders should hire in-house senior-level cybersecurity experts, such as a chief information security officer and senior threat intelligence analyst. These individuals would be responsible for examining the organization’s digital infrastructure and using threat intelligence to develop a well-defined cybersecurity plan that would prepare the company for cyber-attacks.

The cybersecurity plan should include the following:

• Conduct a threat assessment based on current global events and proprietary corporate information.

• Establish network-monitoring techniques focused on cyber-tactics that could be used against industrial companies to take over heavy machinery.

• Regularly audit the network to test for penetration.

• Conduct regular key control assessments for technologies and services.

• Analyze existing and future systems for possible security weak points.

• Train with leaders in cybersecurity and cyberwarfare.

• Maintain a relationship with law enforcement.

• Craft a disclosure plan in case of a data breach.

A well-defined security plan complete with timely disclosure will allow businesses to maintain the trust of their partners, users, shareholders and the public as a whole. Trust is to the key to building any successful business and without it, there can be no business. As cybersecurity evolves, so should our mindset.

Grayson Brulte is the co-founder and president of Brulte and Co.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide