Cyber Incidents Underscore Absence of Real Private Sector Cybersecurity Standards
Sometimes it takes a public event to remind corporate risk managers about the importance of effective risk management. While corporate risk management functions have become yet another “hot” topic or new-fangled response to corporate failures to prevent obvious risk, most organizations continue to wander in the world of reactive business planning rather than proactive prevention.
It has been fairly obvious for years that most corporate organizations do not allocate sufficient resources, expertise and commitment to implementing effective risk management programs. Further, companies claim to have developed “crisis management” protocols only to have them ignored or falter when necessary to respond to a crisis. COVID-19 exposed the weaknesses in government and private sector planning, analysis and risk management.
The ransomware attack on Colonial Pipeline (and the subsequent cyber attack on JBS) demonstrated yet again the failure of government and business to anticipate cybersecurity issues through traditional tools – risk and vulnerability analysis, implementation of technology and planning to minimize a cyber event, and crisis response protocol. In the aftermath of this debacle, the public lined up to purchase gallons of gasoline because of a short-term shortage in gasoline. These scenes of panic were a reminder of the impact that poor government and business risk management can have on public reaction.
The Biden Administration issued a response quickly to update the government’s cybersecurity practices. Federal agencies were directed to take a variety of actions to share information, strengthen cybersecurity practice and use new technologies to reduce cyber vulnerabilities.
All of that is well and good but until the private sector is subject to various requirements relating to cybersecurity, not much is going to change. Congress has stumbled around for years when it comes to imposing any kind of meaningful requirements on corporate cybersecurity practices. For example, there still is no actual federal corporate disclosure requirement to notify law enforcement and the public after a company suffers a cyber-attack or suffers a cyber incident. Similarly, there are no specific standards set for any industry sector that companies must meet to protect against cyber-attacks.
Instead, companies face a patchwork of state requirements relating to data security, disclosure and remediation requirements. A cyber incident is usually followed by private class action with no meaningful “teeth” that dissipates into yet another cost of doing business – the cost of prevention never outweighs the economic harm and reputational damage, or at least that is how business leaders usually come out when undertaking a cost-benefit analysis.
Some have suggested that the latest cybersecurity executive order is the first step in the new administration imposing real requirements on the private sector. I will believe it when I see it. Corporate interests have been able to block such efforts in the past and there is nothing to suggest that will not do so in the future.
In response to the Colonial Pipeline incident, various Senators are rumbling about new legislation. Big deal – this has happened before, frankly for decades. In the end, the federal government will retreat to “leading by example,” and there will be no substantive change in performance.
If there was somehow a magical change in corporate priorities and planning, the private sector would quickly enact far-reaching response and planning to prevent a cybersecurity incident. Companies would conduct robust risk and vulnerability assessments to identify weakness surrounding confidential business data and personally identifiable information since cyberattacks usually zero in on this information to extort ransom payments. Cyber attackers gain access to this sensitive information and then threaten the victim company with illegal use of the information to harm the organization.
In response, organizations have to complete a vulnerability assessment and then design processing and storage plans to minimize the risk of intrusion and access to this information. In most cases, companies can rely on encryption and other strategies to prevent a serious breach. A comprehensive data mapping program is an essential step in this process. By reviewing its data sets across the organization, companies quickly realize that some data is no longer needed for the business. This results in an efficient understanding of the company’s data profile.
A critical part of this process requires companies to evaluate their own internal IT compliance requirements. Some of these access controls are important to preserve evidence, harden intrusion vulnerabilities, and to improve network and email security. Companies also should be implementing IT improvements to enhance logging and monitoring functions that may be critical to generating accurate network information needed to respond to a cyberattack.
Many companies are moving to cloud storage systems and thereby reduce vulnerabilities from on-site software and data systems. Even in a cloud-based environment, companies have experienced serious cyberattacks and planning is needed in these environments to mitigate vulnerabilities and risks.
A company can use its cyber risk and vulnerability assessment to plan a response to a cyberattack. These plans often include hiring of third-party cyber expert to respond to a cyber ransom event or a cyber intrusion. The crisis response plan should include compliance with legal requirements and preservation of evidence, along with public information needed to mitigate any attack. To implement the plan, companies have to identify in advance a cross-section of corporate representatives, including information technology, human resources, legal and compliance, public relations/communications and senior management.