If you are the CEO of Google, Facebook, Verizon, Comcast, Exxon or Boeing, don’t read this. You have a team of lawyers working for you who have already spent hours analyzing President Obama’s Cybersecurity executive order and the numerous articles about it. If you own a one-location cupcake shop, auto repair facility or truly a “mom and pop” business, you can go back to looking at Harlem Shake videos online. This post is for the rest of us.
Even if you are not into defense, a major international conglomerate or think no foreign entities, hacktivists or cyber-terrorists are coming after your company, you may need to take steps now to respond to the executive order.
The Basics
The focus of the order is on “critical infrastructure“ which largely means energy, health care, transportation, financial services, heavy manufacturing, food and drugs. If you are wondering whether you are “critical infrastructure,” you probably aren’t. In fact, the Secretary of Homeland Security is tagged with identifying “critical infrastructure at the greatest risk.” Those identified will be confidentially notified of the designation and encouraged to adopt the cybersecurity framework. But, you probably work with someone who is considered “critical.”
If you contract in any way with the government, or even contract with those who contract with the federal government, you should probably pay attention. If you work with those in likely to be identified as “critical infrastructure,” you should pay attention. Right now, many of the directives are voluntary, but it is likely preferences will be given to contractors who tighten their sybersecurity. You can expect cybersecurity to become part of the RFP process, so you need to be ready.
Have a data breach plan in place. If you store any individual’s personally identifiable information, including credit cards, or other sensitive information, you should already have a plan in place that complies with many state laws so you can report any breaches to the appropriate authorities. Now, you should have a plan in place in case you lose trade secrets or get hacked for other reasons. This plan should include the technological response to mitigate the harm and reporting requirements to the appropriate agencies.
The Government is promoting more transparency and a private-public partnership to address these national security concerns. If you do business with any federal agencies, or companies that do, start asking them what they think is appropriate for your situation. If you are in a heavy-regulated industry or would be considered “critical infrastructure,” your requirements are likely to be dicated by the National Institute of Standards and Technology (NIST) or your specifc industry regulators.
Think about your vendors and contractors. We have already written a two-part series about some state laws requiring you and your contractors to have Written Information Security Plans or WISPs. Now, think about whether you are doing business with or for anyone who may be considered “critical infrastructure.” Here’s looking at you internet marketing and web development firms. You need to be prepared to provide notices and information about data breaches. What are you prepared to disclose? How much will you have to disclose while still not disclosing too much personal privacy? You need to make sure you and your contractors have plans in place.
Go Hack Youself. Yes, I mean this literally. Your plan should include some type of periodic risk audits. Have someone try to hack into your system so you know and can address your vulnerabilities. Although not required at this point, it may become law before year’s end. If your IT guy can get through, imagine in the full weight of a foreign power or legions of hacktivists coming after you. Think about whether your business partners are also up to snuff and do periodic testing.
But wait, there’s more . . .
Just when you thought that was enough, if you are doing business in Europe, you might want to check out the EU’s Cybersecurity Directives.
Finally, Homeland Security may not be the only one interested in your cybersecurity. The SEC requires disclosures of your cyber-risks and protections.
