To start the New Year it only seems fitting to look back and address what went well with cybersecurity and data privacy. If we look back at 2017, the data, the trends, what went wrong, and what went right we see the year was wrought with a lot of ups and downs. But despite all the hurdles, there was some legislation that could impact the space in the coming year, and we could see some changes as a result of it. What’s more, as a result of all the hackings and data concerns, 2017 produced some really great research on security, and this is important because it gives us data to analyze, discuss, and to act upon for 2018.
For instance, BakerHostetler’s 2017 data security incident response report confirmed for us that cybercriminals don’t discriminate by industry, company size, or revenue.
In the past year, hacks and breaches have affected healthcare, finance, insurance, education, retail and hospitality, and government, among others. No industry is immune. Similarly, while businesses earning less than $100 million were the most targeted at 39%, bigger businesses didn’t fare much better.
Companies earning $100 million to $500 million represented 33% of incidents during the survey period, companies earning $500 million to $1 billion represented 17%, and companies earning $1 billion and up represented 11%.
We have to ask ourselves what billion-plus companies are doing that smaller companies are not. Is it investment in security systems or personnel dedicated to security?
Perhaps, small and midsize businesses are particularly at risk for a couple of reasons:
Compared to an individual, a small business typically has more money, assets, bank accounts, accounts, and activity—and therefore, it has more risk.
Compared to a larger corporation, a small-to-midsize business typically has fewer resources dedicated to security defense. Executives at smaller companies often wear many hats, and they may not have time to spend learning about the risks and what they can do to prevent breaches and attacks.
And this is exactly why we talk about these research reports so often in this column and on The Peggy Smedley Show. I’m doing more than just throwing numbers at you. I’m trying to get everyone in the industry on the same page. Research paints a broad picture of what’s really happening and the numbers illustrate the picture very colorfully.
- Without data, we wouldn’t know whether small businesses or large businesses are most at risk.
- We wouldn’t know which industries are faring worse than others. It’s just like what we always say with the IoT; data gives us something to base decisions off of.
- Without data, we’re all just shooting blindly.
Another important cybersecurity research report that came out this year was Cisco’s 2017 Midyear Cybersecurity Report. This report proved valuable because it analyzed the past and used this information to predict the future. For instance, Cisco says IoT botnet activity in 2017 may foreshadow a destructive trend in cybercrime called DeOS (destruction of service) attacks.
DeOS attacks eliminate the backups organizations need to restore their data, basically leaving them without a safety net in the event of an attack.
Here again, now that we know this, we can all come together and say, ok, how do we defend ourselves against DeOS attacks? Let’s talk more about what we did right in 2017.
Last spring, there was a really cool collective training event called cyber shield 17 that brought about 800 people together to educate and train themselves in security.
This past year was the sixth iteration of the Exercise Cyber Shield, and it was held at Camp Williams in Utah. The event involved a week of classroom training and preparation and a weeklong scenario-based exercise that gave participants a feel for responding to a real-world cyber threat.
This event is so important because it gives the National Guard the ability to practice.
This way, if a major event occurs, the U.S. government is not winging it. At any given time, I think it’s safe to assume that someone, somewhere is under cyberattack. We all need to run our businesses as if this were true, and governments in particular can never afford to let their guard down. Working together is an important way we can prepare for the inevitable.
Sharing best practices, talking about our successes and failures openly, and holding events like the cyber shield exercise are all steps in the right direction.
Another step the U.S. may take in 2018 comes in the form of legislation. In the fall of 2017, Senator Edward Markey introduced a bill to the senate called the Cyber Shield Act of 2017. The goal is to establish a voluntary program to “identify and promote Internet-connected products that meet industry-leading cybersecurity and data security standards, guidelines, best practices, methodologies, procedures, and processes.”
The cyber shield program requires the U.S. Secretary of Commerce to establish and maintain cybersecurity and data security benchmarks for IoT devices. The secretary would do this by working with interested parties, including other federal agencies, the public, and an advisory committee.
Essentially, a cyber shield-certified product would need to meet certain security standards, which may include testing by a third party. Any benchmarks set by the program would need to be reviewed every two years.
I like this idea. Think about it. If there are as many as 50 billion IoT devices by 2020 as has been projected, there is a strong argument for making sure we put appropriate security safeguards in place for these devices. Otherwise, we’re opening up our homes, businesses, and nation to undue risk.
There is also a call to educate the public about the cyber shield label built into this proposed bill. I am all about education and you can’t help but appreciate the real selling point here is consumer education.
I guess we will just have to wait and see what happens with the bill, but if it does pass into law, I am very hopeful we will see an even greater push for cybersecurity education as a result.
Want to tweet about this article? Use hashtags #M2M #IoT #security #data #cybersecurity #cyberattack #AI #blockchain