The turkey’s been carved, the chaotic consumerism has commenced, the holiday season is in full swing! While December is a whirlwind of stocking-stuffing and present-wrapping, take a moment to reflect on all that’s happened in 2017.
2017 has been a particularly bad year for data debacles and cybersecurity breaches. Remember, the Big Three: WannaCry, Petya/NotPetya, and the Equifax breach? Not good. Fortunately, federal and state governments, and companies—large and small—recognize that lasting, legislative change is required to prevent future cyber attacks and protect everyone’s data.
As we enter the season of giving, here’s what governments and businesses are offering to remedy past mistakes. The gift that keeps on giving? Progress in the form of policy change.
Healthcare systems, federal agencies, higher education and financial institutions are some of the industries most at risk of cyberattacks. Funding and solutions are often geared toward protecting these massive institutions who store sensitive data for millions of consumers. But if we’re protecting the giants, who is looking out for the small fries: small businesses?
A new bill was advanced in April by Senators of Risch and Schatz, Idaho and Hawaii respectively, and passed in September, in the wake of the Equifax data disaster. It will “require the federal government to offer more tools to small businesses to [safeguard] their networks from cyber threats.” The legislation would specifically require the National Institute of Standards and Technology (NIST)—the nation’s largest physical science laboratory and agency component of the Department of Commerce—to “publish and disseminate resources”.
Small businesses have assets, customers, and employees just like large businesses. We need to ensure they’re not needlessly exposed to threats.
On May 11, 2017, President Trump signed a long-awaited and much heralded cybersecurity Executive Order (EO) with a goal of “strengthening the cybersecurity of federal networks and critical infrastructure.” Initially lauded for being all-encompassing and bipartisan, the place in place has already missed several deadlines.
The EO calls for federal agencies to share cyber technology. By sharing valuable data, security frameworks, and insights across agencies, we could reinforce cybersecurity holistically, rather than continue down the path of siloed expertise and resources. After all, “security is only as strong as the weakest link in the network” (Techcrunch).
New bipartisan cybersecurity legislation was recently introduced to the Senate. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 hopes to assuage growing fears surrounding the Internet of Things, a “catch-all category of web-connected devices that includes fitness trackers and smart thermostats”. The more interconnected our devices become, the imminent likelihood of a crippling cyberattack that could disrupt daily life for millions of people. It’s not only smartphones and computers, but home security systems, cars, and even refrigerators. The “sheer number of IoT devices” is “expected to exceed 20 billion devices by 2020.” (Wired)
The legislation requires vendors who produce or sell IoT devices to guarantee the devices don’t have known vulnerabilities and if they do, they will create patches for these vulnerabilities. In addition, companies must immediately disclose vulnerabilities in an effort to increase accountability and reduce negative impact on customers. For more details on the IoT Cybersecurity Improvement Act of 2017, check out the fact sheet.
Amazon Key, for example. The in-home delivery system sounds super convenient, but the hack potential is hard to ignore.
Who can forget the infamous Equifax Breach of 2017? No one is likely to sleep soundly for a very, very long time, as repercussions from the hack are likely to haunt Americans (and some Canadians) for decades. Fortunately, consumers can protect themselves by being vigilant…and there are tools to help!
Free of charge and without waiving your right to legal action, consumers can enroll in TrustID Premier, for free credit monitoring and identity theft protection. LifeLock notes, “When it comes to credit monitoring, you can take one of two approaches: doing it yourself or paying a company to do it for you.” If you buy, you will pay a subscription fee for a third party to monitor credit activity associated with your Social Security number and notify you if something looks fishy. If you DIY, you best option is to stagger your free annual reports to verify your own credit activity.
A credit freeze is a process that allows consumers to seal credit reports using a PIN. Under a credit freeze, no new lines of credit or accounts can be opened in an individual’s name. This added layer of security is one of the most effective ways to protect yourself against identity theft, especially in the wake of a security breach. And when you want to establish a new line of credit, you simple “thaw” the report.
The Equifax breach and its aftermath set a precedent of how companies should (and shouldn’t) handle a data disaster. Equifax received (and is still receiving) massive amounts of media and consumer backlash for a poor handling of the situation.
Just recently, two US representatives introduced new cybersecurity legislation: The Active Cyber Defense Certainty Act (ACDC). If passed, companies would get “legal power to chase cyber-criminals across the Internet.” It would:
[…] carve out exemptions in the Computer Fraud and Abuse Act (CFAA) of 1986 to allow companies to utilize computer and networks without authorization, but only if they are doing so to attribute or disrupt an attack, to retrieve or destroy stolen files, or to monitor attackers. (eWeek)
Currently, private companies can only act within a carefully constructed legal framework. As it stands now, businesses’ and organizations’ hands are tied when it comes to defending themselves. By the time they jump through the required legal hoops, the damage is already done. The new bill hopes to “empower individuals and companies to use new defenses” and spur “a new generation of tools and methods to level the lopsided cyber battlefield.” More and more, policy change is attempting to give businesses and consumers tool to fight back before it’s too late.
As you may have noticed from the timeline, there has been a noticeable push for fresh cybersecurity policies and lasting legislative change in the second half of 2017. One caveat: “Technology is advancing at a rapid rate; the development of standards may, therefore, fall far behind technological advances.” (WeLiveSecurity.com)