Last week, the White House and the US National Institute of Standards and Technology (NIST) released the voluntary cybersecurity framework they have been working on for a year—the result of an Executive Order entitled, “Improving Critical Infrastructure Cybersecurity.” The hope is that this new framework will eventually lead to a more robust cyber insurance market with lower premiums. While 85% of corporate executives named cyber attacks as their greatest risk in 2013, less than 20% of companies purchase cyber insurance. The NIST framework is a set of industry standards and best practices to help organizations manage cyber security risks. The 41-page document can be found here. The framework’s focus is to measure and mitigate risk in the country’s cyber infrastructure to protect airlines, roads and other vital aspects of the U.S. economy, but serves as a good model for any organization.
This is timely in light of the many data breaches that have taken place of late. For example, unless you’ve been living under a rock, you know that Target announced the theft of financial information, including credit and debit card information and imbedded PIN numbers, from as many as 110 million customers. Since announcing the breach in December, information continues to come to light, and none of it is good. For instance, the New York Times reported that Target was vulnerable to the cyber-attack because its systems were “astonishingly open—lacking the virtual walls and motion detectors found in secure networks.” Hackers planted malicious code in early November, and it went undetected for weeks. Remarkably, Target did not find the breach on its own; the Secret Service discovered it during an unrelated investigation where agents had been tracking hackers overseas, and discovered common thread in a string of suspicious credit activity: payments made at Target.