Could it be that we’re suddenly getting serious about cybersecurity? Recently US Investigations Services, LLC (USIS) had several Federal Government contracts put on hold after alerting the Government to a breach that exposed information about Homeland Security employees; the contract action resulted in the layoffs of 2,500 people. The action has definitely put Government contractors on notice, and now there is talk of a whole-of-Government 72-hour reporting rule for breaches. Additionally, many people expect contractual requirements to flow cybersecurity down from prime contractors throughout their entire supply chain, which would come as a huge business impact to many smaller companies who rely on Government business.
One of the big stories from the Target data breach was the fact that the CEO and CIO lost their jobs, and a number of the Board members were in danger of being voted out by shareholders. This liability crosses all sectors, and includes monetary damages as well, like the record-setting $4.8 million paid by NewYork-Presbyterian and Columbia University, for violation of privacy and related laws.
States are getting into the action as well. Virginia became the first to adopt the new NIST cybersecurity framework as part of efforts to reduce cybersecurity risks to critical infrastructure in Virginia. Currently the Commonwealth is undertaking a variety of activities to improve their cybersecurity posture. One of these, for example, is assessing third party cloud service providers for compliance to the rigorous set of criteria including continuous monitoring, access controls, encryption, and many others.
No guarantee that any of this will improve security. It is also clear that putting a lot of companies out of business is not the way to solve this problem. But it does seem that, at long last, cybersecurity is moving from a curiosity to a business imperative.