US cybersecurity legislation -- better late than never!
By Fraser Thomas
Last week the US Congress began the process of making President Obama’s State of the Union address, where he focused on ways to secure the nation's businesses and infrastructure in cyberspace, a reality.
On Wednesday two House members reintroduced a bill requiring companies to meet a specific set of data security standards when handling customers’ personal information.
In the past, versions of the bill -- known as the Data Accountability and Trust Act (DATA) -- have been introduced several times, with one measure approved in 2009. No versions of the bill have ever become law, however, and in 2014, renewed efforts to push it through the House went nowhere.
The current proposal would deputize the Federal Trade Commission (FTC) to set nationwide data security standards for companies handling sensitive data, such as full names, Social Security numbers, ID information and credit card information. If this information was exposed by hackers, companies would have to notify their customers and the FTC. They could also face civil penalties of up to $5 million if they hadn’t adhered to the commission’s security standards.
Despite mounting pressure on Congress to pass the bill following high-profile cyberattacks on major companies like Target, Home Depot and JPMorgan, US businesses still need to take voluntary action to protect themselves; legislation alone will not solve the problem.
Stand up and be counted, or face punishment
For too long many of these organizations have not publicly communicated with their customers. They choose not to tell them that their personal data has been stolen, instead letting the media break the story. Worse still, even when the media makes the world aware, many insist on maintaining radio silence at a time when their customers are crying out for advice on how to limit the damage.
Unfortunately, many customers of these organizations still don’t know where and how their data is being used by hackers, resulting in some taking legal action, as has been seen with Target. However, while I sympathize with those affected by any data breach, legal action should be the last resort because protecting sensitive data should be a simple and cost effective task.
Convenience not ignorance
There’s no doubt that our new hyper-connected world offers many benefits to businesses and consumers alike. But accessing data anywhere, anytime and on any device has weakened corporations IT security defenses, and greatly contributed to the majority of the data breaches we’ve seen in the past few years.
The simple fact is that anyone using a personal wireless device to access corporate data represents a security risk, given the high-level of user-convenience and low-level of security afforded by these devices. And if you factor in that many of the IT security guys within these companies feel that their advice is being ignored, you’ve got the perfect conditions for a data breach.
Unfortunately this culture of convenience has led to widespread ignorance in terms of corporate data security. This, in part, has been driven from the top, with security policies being formulated around the CEO, or key executives, who want to be able to access a whole range of corporate data from their own personal devices. Sadly, even in light of the recent data breaches, there are many executives out there who still don’t understand this risk.
Collaboration is key
Although I’m in favor of the DATA proposal, I hope that any legislation will take into account the role “human error” can play in some data breaches; I truly don’t want to see businesses who’ve put the right protocols in place, being unfairly punished when they’ve been hacked.
Also, this legislation shouldn’t be used as a stick by IT departments to lock down data on a massive scale, denying remote and mobile access. Realistically, all departments -- ranging from IT to HR -- as well as external vendors need to work together to agree to a security policy that delivers the most effective working environment possible.
At the same time, all employees, from the board down, must accept that if they want the freedoms and benefits of working from home, or accessing email remotely on their own device, their access must and will be predicated by some degree of secure authentication, which in today’s world, must go beyond a username and password approach.
Security is all about the long game
The reality is, the threat that hackers pose to consumers, corporations and governments is not one that can be dealt with easily or quickly. And it’s this realization that every one of us needs to take into account to ensure we operate happily and securely in this digital age.
Fraser Thomas is VP International, Swivel Secure Inc.