It’s no secret that data breaches are on the rise. In fact, there have been more data breaches than ever before. Medical data breaches are proven to cost more than any other type of breach, costing about 400 dollars per record.
Data breaches are rising dramatically putting them on the agenda for most C-suite and corporate boards. Customer information is being lost, trade secrets are being sold and confidential assets being breached can significantly lower customer loyalty and trust as well as definitely lower the reputation of those companies which were breached. They can also give the competition a significant advantage.
These aren’t the only things that companies have at stake. The many different types of cyber-security risks make cyber-security a vastly complicated problem. In fact attempting to protect the many different frameworks and CMS and private networks is fraught with other complications to layer on top of the complexities.
Today, governments are seeking ways to stem the tide of breaches and break-ins by creating new legislation that provides for specific levels of security and best practices for companies.
This tidal wave of governments and new cybersecurity regs and recommendations make additional problems in and of themselves. The United States government alone has proposed more than 200 bills (actually 240 at last count.) This includes legislative proposals for ways to deal with cyber-security. This number of mandates and proposals have taken place in just the past three years alone and the number continues to rise.
The proposals fall into a wide range of categories. In some cases the proposals are that companies implement direct requirements for protection. One example of this is that companies in the critical infrastructure arena are going to be facing requirements for security in the US and in the UK and EU as well. They will have specific requirements for risk assessment, control and for personnel training. The question is how can a country legislate a level of security when that level cannot be guaranteed by any company. There are even “trade secret” protection laws in the works that require companies to take “reasonable steps” in order to keep information about the programs and devices safe from cyber threats—though what those steps are is another unknown.
In addition to legislating the devices and services that are being legislated, share holders are becoming more demanding that companies safeguard medical and technical information. That means that securities laws as they relate to new IoT devices and services are also being legislated. In the United States, some measure of shareholder litigation as well as SEC proposals and enforcement are already launched and seeing some effect.
With all of the changes and the advances in technology, it’s no surprise that legislation will follow. Is your company ready for the changes that are being made in IoT and internet services?
According to Brink News, “The rising tide of cybersecurity regulation and recommendations complicates the landscape for companies.”
The National Institute of Standards or NIST, offers one of the most comprehensive tools for managing the risks involved in information security. Even the federal government agencies of the US are embracing it wholeheartedly. In a survey undertaken by Dell, more than 80 percent of professionsl in the security arena are using the NIST framework for improving their own security, which makes it a great place to start for companies which are trying to come into line and ensure their compliance to the expected new regulations.
According to the experts, the NIST method and framework may well be the guideline that the courts and legislators will use to determine whether companies in the IoT and IT business are doing their best to secure devices and provide for data security.
There are other standards that are entering into play such as the ISO 27001 which is being used by many companies. The standard is different structurally than the NIST Framework though NIST makes reference to the ISO requirements in their own framework.
What is your company doing to secure their data and IoT devices? How are you set up to come into line with the regulations and legislation that is sure to be just around the corner?
Every company should be taking steps now to implement some type of protection to meet the ever changing threats as well as the ever changing cyber-security regulations.