Cybersecurity took center stage in 2016 across multiple arenas. But not for good reasons. Whoever said, “There’s no such thing as bad publicity” never experienced a data breach.
Last year, organizations around the globe experienced 2,260 publicly disclosed breaches, exposing approximately 2.2 billion records. Yahoo made headlines for experiencing the largest hack in history – and is literally paying the price. Yahoo and Verizon have agreed to lower the search media giant’s purchase price by $350 million as a direct result of the breach.
Connected devices pose a real threat, as demonstrated by the distributed denial of service attacks experienced last year. These attacks also illustrate how the Internet of Things can be repurposed for malicious use or taken over for ransomware, take remote control of connected devices or exfiltrate data.
It was a banner year for ransomware as well. In the first quarter of last year alone, there was an average of more than 4,000 attacks per day. That was a 300 percent increase from the 1,000 ransomware attacks observed on average per day in 2015.
Not even the U.S. presidential election was spared. Last year’s election cycle included the hacking of the Democratic National Committee during the 2016 election campaign. Then, in January, the Office of the Director of National Intelligence published a report that said “Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the U.S. presidential election” with a goal to “undermine public faith in the U.S. democratic process, denigrate Secretary (Hillary) Clinton and harm her electability and potential presidency.”
Clearly, our new president and other politicians will be challenged this year by—and likely pushed to respond to—the problem of hacking.
What Lies Ahead
This is not a new discussion, of course. During his administration, President Barack Obama passed the Cybersecurity Act of 2015. That aimed to create a framework for the voluntary sharing of cyber threat information between private entities and the federal government, as well as within agencies of the federal government.
One year after that law took effect, the Obama administration’s Commission on Enhancing National Cybersecurity released its “Report on Securing and Growing the Digital Economy.” It identifies cybersecurity gaps and how to address them.
However, those problems and prescriptions are fairly general. For example, it talks about the need for collaboration between the federal government and the private sector. It suggests the next administration should develop concrete efforts to strengthen the cybersecurity of small and medium-sized businesses.
The new administration now has the chance to move from the general to the specific. And the sooner, the better. Business leaders and their teams should do the same. Here’s why.
In its October 2016 paper “2017 Predictions: Dynamics That Will Shape the Future In The Age of the Customer,” Forrester predicts that within 100 days, the new U.S. president will face a major cyber crisis. The research and consulting firm also predicts that this year, a Fortune 1000 company will fail because of a cyber breach.
A similarly dire prediction comes from Ed Amoroso, AT&T’s recently retired chief security officer. Late last year he offered this: “I believe that during the next presidential administration, we are going to see a massive cyberattack on infrastructure,” said Amoroso. “I believe it is going to be of devastating proportions, and I think we are not ready for it.”
One contributing factor to this current state of affairs is the lack of laws and regulations on this front. But because cyberattacks have become high-visibility events, and because cybersecurity legislation could help politicians move their careers forward in the process, there’s likely to be much more concrete action on the cybersecurity regulatory front in the near future.
Europe and Australia have already passed or are working on cybersecurity legislation, as are multiple U.S. states. For instance, Australia has developed a national strategy through which government and the private sector are working together to address cybersecurity. Last year, it issued a white paper describing major risks and initiatives on this front. And a few years ago, it created the Australian Cyber Security Centre, an initiative to make the country’s networks harder to compromise.
The European Union approved cybersecurity rules last summer that force businesses to strengthen their defenses. They require banking, energy and major tech companies to report attacks. And they talk about how EU nations must cooperate on network security matters. In May 2018, the EU’s new General Data Protection Regulation (GDPR) begins to take effect, adding ever more rules and regulations around data privacy & security.
On the home front, at least 28 states introduced or considered cybersecurity legislation last year. And 15 states enacted such laws in 2016, according to The National Conference of State Legislatures. Most of these laws and bills address national infrastructure and governmental agencies. But some of these laws specifically target the interests of businesses.
As a case in point, S.B. 1137 was one of three cybersecurity bills signed into law in California last year. It makes it a crime for a person to knowingly introduce ransomware into any computer, computer system or computer network.
The state of Colorado took a different tack with its H.B. 1453. This bill calls for the creation of a state cybersecurity council to provide policy guidance to the governor. That council will also coordinate with the general assembly and the judicial branch regarding cybersecurity. Utah’s H.B. 241, which the governor signed in March of 2016, enacts civil penalties for hackers. And Washington state’s H.B. 2375, which the governor signed in April of 2016, establishes the State Cybercrime Act.
A Two-pronged Security Approach
Organizations with a stake in cybersecurity and related regulations—which is to say, most organizations—need to be ready for what’s happening on that front.
How? One way is to take an active part in the cybersecurity discussion – and do so now, before cybersecurity regulatory decisions are cemented. Another way is to be forearmed with both leading-edge network security solutions and a team that is trained and certified to handle evolving cyber threats.
Empowering a workforce with up-to-date skills and the tools they need is critical to network safety. Because regulations typically lag technology by three to four years, businesses can’t wait for legislators to meet their needs. Regulations are important, but they alone will not protect the network; the diligent application of knowledge and innovation must play a part as well.
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. Combining over 20 years of product management and technical marketing positions, and over a dozen years in IT and Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications.