How companies can stay ahead of the cybersecurity curve

Publication Type: 
Other Writing
Publication Date: 
March 20, 2017

If you’re like me, on a given day you interact with a whole range of connected technologies for work and play. Just today, I used Box to share and download files for work, called up Tile to find my keys, relied on Google Maps to run an errand while streaming a podcast to my AirPods, and connected via Skype with a colleague overseas. And that was all before lunch. As we interact with technology of all sorts, what security safeguards should we expect from the companies building the Internet of Everything?

Cyberattacks can interrupt business operations, hurting companies’ bottom lines, and can infringe upon the privacy and other human rights of consumers and the general public. Right now, there isn’t much regulation around companies’ cybersecurity practices. For example, Congress has not required that Internet of Things devices accept security updates, nor that consumer information be fully encrypted to limit the effects of a data breach. A Federal Communications Commission rule that would have required internet service providers to protect customers’ information has been halted.

We did see some progress under the Obama administration. State governments are continuing the effort. And forward-thinking companies are beginning to apply concepts like active defense and corporate social responsibility to cyberspace. As cybersecurity regulations take shape, companies can choose to stay in the vanguard of progress – or simply react, following the rules as they develop.

Managers must think in new ways about data, communications, business law and even the ethics of trading off potential corporate benefits against risks to consumers’ privacy. At stake is not only a firm’s reputation but also, potentially, legal liability for failing to follow emerging industry standards. For example, Consumer Reports recently announced that it will be rating companies’ cybersecurity and privacy practices. Businesses of all types, not just tech-centered ones, can help keep themselves in the clear by putting cybersecurity at the forefront of their risk management efforts.

A de facto standard of care

Although Congress has done relatively little about corporate cybersecurity standards, the U.S. government – in collaboration with industry – has created the National Institute for Standards and Technology Cybersecurity Framework. That document describes ways companies can evaluate their current networks’ security and work to improve them.

The NIST Cybersecurity Framework is helping to define what constitutes a “standard of cybersecurity care” – a set of obligations companies owe to their customers, and increasingly their vendors and partners, as a basic practice of doing business.

Though the NIST Cybersecurity Framework was not published long ago – the first version came out in 2014 – and is technically voluntary, more consultants are telling companies to follow it. It is likely to be even more widely adopted if, as expected, it becomes a key part of an upcoming Trump administration cybersecurity executive order.

Read the full piece at The Conversation