Compelling Evidence Shows That We Are Now in an Information Security and Privacy Crisis...
CRISIS
The current state of information security and privacy includes gigantic risks accompanied by inadequate controls to address these same risks. The prevalence of successful ransomware attacks involving multi-million dollar losses and extended service outages is just one of many prominent examples. CNA Financial, one of the largest insurance companies in the US, reportedly paid hackers $40 million in 2021 after a ransomware attack blocked access to the company’s network and stole the company’s data.
Acknowledging that not enough is being done to address our modern dependence on computers and networks, the Biden Administration issued Executive Order 14017 in February 2021. That Order initiated additional efforts to strengthen information security in US supply chains and US critical infrastructure. Clearly, what both government and corporations have been doing has not been working well. To set things right, the markedly increased involvement of top management is necessary and imperative.
A 2017 study, which interviewed 184 Chief Information Security Officers (CISOs) around the world, a study performed by Ponemon Institute, indicated that some 60% now believe that cybersecurity is a business priority. Finding the right talent was a significant hurdle cited by some 56% of those CISOs, while some 50% branded their staffing efforts as inadequate. Closing this staffing gap is where an experienced consultant can make a big difference, especially when there is a need for an independent evaluation of the adequacy of internal efforts.
What many firms urgently need is a re-envisioning and a re-conceptualization of the whole area of information security and privacy. They need to up-level this area, so that it gets much more attention from the Board of Directors, from top management, and from other business decision makers. A good place to start re-envisioning and re-conceptualizing, is to ask yourself how exactly does your organization know that it's approach is working?
“I hereby report that I have issued an Executive Order declaring a national emergency with respect to the unusual and extraordinary threat to the national security, foreign policy, and economy of the United States posed by the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States”-Executive Order 13694
— BARACK OBAMA, President of the united states of america
RISK VIEWPOINT
Top management urgently needs to reinvigorate the process of risk management to tailor information security and privacy to their specific organization’s needs, and stop placing so much reliance on compliance (which inherently relies upon a one-size-fits-all model). Top management also needs to expressly acknowledge and consider the influential disincentives that cause people to act in ways that are unsupportive of, even markedly detrimental to, information security and privacy. How do you know that your organization’s staff is in fact working in support of information security and privacy?
SOPHISTICATED DEFENSE
Many traditional management tools adopted to deal with information systems related problems -- like a help-desk trouble ticket system -- are woefully inadequate to meet today’s security and privacy threats. These traditional tools are deficient not just because they are only responsive and reactive, but also because they are applied manually. Modern attacks can and increasingly do employ artificial intelligence, neural networks, botnets, malware, machine learning, big data analytics, and other automated attack approaches. To be adequately protected, organizations must now have evaluated, planned, tested, rehearsed, and scripted a variety of automated contingency plans. How do you know that your controls are adequate to protect your organization against these new and sophisticated attacks?
The involvement of legislators, regulators, judges, and lawyers in this area is rapidly expanding. For example, the Federal Trade Commission (FTC) has been stepping in and attempting to defend the rights of consumers. In just one of many actions it brought, in 2016, the FTC reached a $950,000 settlement with a mobile phone company that was tracking the physical location consumers without their knowledge or consent. Also in 2016, the FTC reached a settlement with a widely-known Canadian on-line dating service that had been hacked. That settlement was $1.6 million, and that particular action was brought was in response to the service's public release of personal details about the sex lives of 36 million individuals.
Civil suits are also increasing. For example, the controls found in the Health Insurance Portability and Accountability Act (HIPAA) were recently used as a reference point to bring a civil action alleging negligence (Byrne v. Avery Center for Obstetrics and Gynecology, P.C. (Connecticut Supreme Court 18904 slip opinion, 2014)). The approach used in this case allowed innovative plaintiff lawyers to bring a civil suit where there had previously be no “private right of action” (the right for individuals who have been harmed to bring their own lawsuit). Their approach used the legal concept of negligence per se, where violation of a law in and of itself makes negligence much more easy to prove in a court of law. Does your firm have the documentation that it needs to adequately defend itself against these new lawsuits?
LEGAL IMPACT
A 2015 study done by Veracode and NYSE revealed that cyber-related corporate liability is now top of mind for both boards of directors and top managers. Nine out of ten of those surveyed believed that the Federal Trade Commission (FTC) should hold businesses liable for cyber breaches if due care has not been followed. More than 50% of those surveyed expect investors to demand more transparency as a result of increased public focus on cyber-security liability. How will your organizastion demonstrate -- to regulators, investors, customers, and the general public -- that it operates in compliance with all relevant laws and regulations?