The Cyber Security Mindset
Business leaders and policy makers need to wake up and realize what it means to live in an interconnected world — under constant threat of cyber attacks.
Whenever you turn on the TV, open the newspaper or listen to the radio, inevitably there will be some story about a hacking incident, data breach or an individual’s privacy being compromised when a company has had their servers hacked. Yet for many of us, our mindset has not kept up with the changes to truly comprehend the implications of the connected world — especially the decision-makers in the private and public sector in a position to do something about it.
For business leaders, protecting against cyber threats means gaining a greater understanding of their organization’s digital infrastructure and how it operates on a day-to-day basis. For policy makers in Washington, it means finding the right balance between requiring private-sector disclosure of data breaches while maintaining the data privacy of their customers.
As Congressman Will Hurd of Texas put it, “One of the biggest issues that we need to deal with, both in government and in business, is the evolving nature of threats.” Congressman Hurd is correct —there is no one-size-fits-all solution to improving cybersecurity. But with the recent introduction of the EINSTEIN Act of 2015, he is proposing some important steps to address the threat.
The EINSTEIN Act of 2015 will improve the U.S. government’s cyber security. But it would behoove business leaders to follow Congressman Hurd’s lead by introducing protocols for their own companies on how to respond to and defend against a cyber attack and breach. With manufacturers connecting heavy machinery to the Industrial Internet through the use of sensors, security becomes all the more important.
The data gathered by these sensors is making businesses smarter and more efficient, but it is also making them more vulnerable to attacks by foreign governments, professional hackers and for those who are interested in espionage for their own personal gains. To avoid this unfortunate scenario, businesses must rethink their approach to cyber security with a well-defined plan that is always evolving and responding to the latest threats.
A comprehensive cyber security plan that both mitigates risks and is proactive with disclosure will help businesses avoid the “Oh, that just happened” moment. When a company is hacked, the plan would kick into gear, and the proper disclosures would be made to users, shareholders and authorities in a timely manner without delay.
Each and every company that interacts with the public and collects data on its users should be required to publicly share its disclosure plans in the case of a breach. Transparency is the key to building and maintaining trust with the individuals who interact with the business.
In that spirit, Congress members Marsha Blackburn of Tennessee and Peter Welch of Vermont have introduced the Data Security and Breach Notification Act of 2015 to standardize the process of reporting a security breach to affected U.S. residents, which would make it easier for business to comply with the law while continuing to maintain trust with their users.
Blackburn, who has described cyberspace as “the battlefield of the 21st Century,” says the American people “deserve to know that their personal information is safe and secure.”
For larger breaches involving more than 10,000 users, the legislation would require businesses to notify the proper authorities — the Federal Trade Commission (FTC), Secret Service or Federal Bureau of Investigation — as well as consumer reporting agencies. Importantly, businesses would also have access to an online educational resource at the FTC to get help in crafting a cyber security plan.
Instead of waiting for Congress to act, business leaders should prepare for the worst — while hoping for the best — when it comes to preventing a cyber attack or data breach. It’s not a matter of if, but when, as companies large and small are potential targets. Some companies today may not even be aware that their systems have already been compromised.
To avoid this scenario, business leaders should hire in-house senior-level cybersecurity experts, such as a chief information security officer and senior threat intelligence analyst. These individuals would be responsible for examining the organization’s digital infrastructure and using threat intelligence to develop a well-defined cyber security plan that would prepare the company for cyber attacks.
The cyber security plan should include the following:
- Conduct a threat assessment based on current global events and proprietary corporate information.
- Establish network monitoring techniques focused on cyber tactics that could be used against industrial companies to take over heavy machinery.
- Regularly audit the network to test for penetration.
- Conduct regular key control assessments for technologies and services.
- Analyze existing and future systems for possible security weak points.
- Train with leaders in cybersecurity and cyber warfare.
- Maintain a relationship with law enforcement.
- Craft a disclosure plan in case of a data breach.
A well-defined security plan complete with timely disclosure will allow businesses to maintain the trust of their partners, users, shareholders and the public as a whole. Trust is to the key to building any successful business and without it, there can be no business. As cyber security evolves, so should our mindset.