Sometimes, government intervention is just what cybersecurity needs
Wallace Sann, ForeScout
By Wallace Sann, CTO, ForeScout Technologies, Inc.
Business often finds itself at loggerheads with government forces. It can feel like the purpose of government is to impede progress with layers of regulations, sometimes slowing the flow of business to a crawl with unnecessary bureaucracy. Once in a while, though, from the perspective of private business, the government gets it right.
August 22 of this year is a case in point. On that date, an appeals court ruled that the Federal Trade Commission (FTC) can hold private businesses accountable for protecting customer data. This is clearly good news in terms of protecting consumers. The ruling should shift the current game of “hot potato” that retailers, banks, insurers and technology providers have been playing to one of accountability by putting customer data protection first.
It’s only in the last few years that data breaches have become catastrophic for consumers, and most of the time, they are left to fend for themselves. A business scrambles to determine the cause and fix of the hack, leaving few resources dedicated to remedying customer financial and emotional pain. This new ruling from the FTC forces the focus to shift. Any entity that captures private consumer information online needs to be held accountable for data safety.
Let’s illustrate this point with an example from daily life. Imagine that your bank routinely forgets to lock the vault at night, though it guarantees excellent security measures. One night, robbers empty the vault, but the response of the branch managers is to simply shrug and say, “What a shame. Your money’s gone.” You’d be looking for a new bank in a hurry. Now, imagine the same situation in the digital sphere. How many customers would stand by a business that provided little protection and support after their valuable and private information had been breached?
It’s a coincidence, but a telling one nonetheless, that the August 22 ruling came just after the Ashley Madison data hack. Granted, the case that led to the pro-FTC decision involved the Wyndham hotel chain, not Ashley Madison, but the underlying principles are identical. In each case, the provider offered public promises about strong security that turned out to be empty.
Empty promises are no way to run a business, and companies—cloud service providers in particular—to a higher cybersecurity standard. The government acknowledging and enforcing the importance of the data privacy issue is a great step forward.
Companies that do business online are the ones affected by the recent ruling, but there is another party involved in preventing credential theft: consumers. Today, everyone is building his or her own digital footprint – a thing that can’t be erased. Digital identities are established starting with a kid’s first game of Fruit Ninja and grow richer with every action taken online. Everyone with digital behaviors is vulnerable, whether you’re secretly logging into Ashley Madison or buying a birthday present for your spouse. Hackers are not all motivated by simple financial gain. Some of them, labeled “hacktivists,” claim a moral agenda. They care less about stealing credit card numbers and more about taking a stand by exposing private data and “teaching a lesson” via public shaming.
Target. Ashley Madison. Anthem. OPM. The litany of high-profile data breaches goes on and on. Accordingly, businesses must put as great an emphasis on cybersecurity as hackers put on your personal credentials.
Breach-weary consumers have learned, sometimes the hard way, that they bear a degree of responsibility in protecting their online identities and assets. They understand that the Internet is not safe. But the far larger portion of responsibility lies with businesses, whose presence on the Internet implies that they have taken every precaution to ensure the safety of customers’ data. The FTC ruling takes that implicit assumption and codifies it into law. This ends up being a win for consumers, who now have the power of the law behind them, and also a win of businesses because they will now be required to safeguard customer data and their own brand as well.
About the Author:
Wallace Sann joined ForeScout Technologies in 2006 and currently serves as ForeScout's Public Sector CTO and Regional VP of Systems Engineering. In this role he provides technical leadership for ForeScout's Public Sector programs and Product & Certification roadmap, while also overseeing the Public Sector Systems Engineering team. He participates in numerous industry panels and speaking engagements on continuous monitoring, visibility, access control and automation. Prior to joining ForeScout Technologies, Mr. Sann worked in various capacities with the D.C. Government, Dept. of Interior and Dept. of Homeland Security. He spent the first 6 years of his career as a Communications Electronics Chief in the United States Marine Corps. Mr. Sann has a B.S. in Information Assurance from the University of Maryland University College.