Connecticut Governor Dan Malloy is putting a new Cybersecurity Action Plan in place to better protect state government, education and private companies.

“Recent events have underscored nationwide vulnerability to cyber penetration,” Malloy said. “While no one can guarantee security, we can take basic steps to protect government functions and give Connecticut business a competitive edge,” Malloy added. “I call on everyone in Connecticut to be part of the solution. This action plan offers concrete ways for all of us to be safer.”

The plan includes more security in state government agencies, the General Assembly and the judicial branch; creation of municipal cyber defenses and sharing of regional resources; engagement with the business community to encourage risk assessment and security; increased academic attention to cyber compromise; and increased attention to intelligence analysis and cyber-crime investigation and collaboration between local, state and federal authorities.

The 41-page document explains there are 4,000 unfilled cybersecurity jobs in the state. It goes on to say, private business must demonstrate it understands its role and is prepared to protect citizen data and the critical services it provides. A key goal of Connecticut’s Action Plan is for businesses to recognize the threats they face and to have serious, effective programs that distinguish Connecticut businesses as active partners in the state’s cybersecurity efforts, thereby improving their security and helping give Connecticut a competitive edge.

The Action Plan identifies goals for Connecticut’s five critical sectors and applies seven principles for strengthening cybersecurity defense identified in the strategy:

1.    Executive awareness and leadership;

2.    Cyber literacy;

3.    Preparation;

4.    Response;

5.    Recovery;

6.    Communication; and

7.    Verification.

The single, most impactful way for any organization to reduce cybersecurity risk is to have informed and engaged leadership. Leadership positively influences the rest of the principles, flows through all sectors and throughout the action plan.

The Action Plan calls for strengthening the approach to law enforcement and security related to cybercrime. Recommendations to continue the progress being made begin with strengthening the Connecticut Intelligence Center’s analysis capacity and increasing its ability to assist law enforcement to benefit from classified cybersecurity intelligence. The second step is creation and staffing of a dedicated state cybersecurity investigations unit to work with local and federal authorities. The third is training: a basic cybersecurity training program for cadets, programs for all troopers and assistance in cybersecurity education for municipal police. Finally, law enforcement will benefit from planning and rehearsing response to new challenges in the event of a critical infrastructure compromise.

The document has a strong focus on business, explaining all computers connected the internet are vulnerable.

A key goal of Connecticut’s action plan is for every company to recognize its threat environment, to have a serious, effective cybersecurity program and to help distinguish the state’s business community as being an active partner in the state’s cybersecurity efforts. The necessity of effective business cybersecurity to jobs, prosperity and even survival underscores that the national trend is to look to legislation and guidelines to strengthen cybersecurity practices. The Securities and Exchange Commission emphasized the importance of this goal in a February 20, 2018 unanimously approved set of guidance to assist companies in the disclosure of cybersecurity risks and incidents.

Connecticut’s goal is to work with its business community through active collaboration to accomplish as much as possible before formal processes and legislation prove necessary. Two key results of collaborating can be increased security and lessons learned regarding what works and what does not. Absent active collaboration, it is entirely possible that the critical need for effective cybersecurity measures will result in legislation and regulation that do not effectively reflect the best interests of the state or of private business.

Smaller companies that may not have the benefit of a network of peers or structured access to federal intelligence still need to measure their cyber risks against their defense systems to determine whether their cybersecurity maturity and applications are sufficient. A cyber compromise can have extensive consequences, reaching into many areas including operational integrity, financial vulnerability, business and brand reputation, public confidence in products and services, corporate branding and ability to hire.

Cybersecurity is a business risk. At present, many businesses, especially small ones, are learning about cybersecurity exposure and seeking guidance in constructing an appropriate defense.

Boards of directors and chief executive officers need to recognize how easy it is to penetrate and damage an inadequately protected business and lead the process of creating effective cybersecurity defense programs tailored to their companies. Business leadership recognition and application of Connecticut’s seven cybersecurity principles would be a significant boost to the state goal of national cybersecurity leadership. The principles are general and flexible, given to different emphasis and relevance in different settings. Those leading and managing companies are welcome to take and use them, incorporate them in business mission statements, cultures and value propositions and then apply them actively as best practices. Today’s business leaders need to manage cybersecurity both to avoid damage and to give their businesses a competitive edge.

Some action steps for private business are as follows:

• The defense industry can support trade associations and the business community by discussion of what works for them.
• Insurance companies can share best practices and threat assessments with each other and make progress in becoming more valuable business partners with their insured to defend against cyber threats.
• Financial services companies can work with their customers to improve customer defense. There is scope to improve protection of information systems in collaboration with third-party service providers. The areas of personnel training, operations monitoring, testing, management of incident response and reporting of an agreed level of cyber-attack are always open to improvement. While some states (e.g. New York) have decided to pursue these challenges through legislation and regulation, Connecticut is agnostic at this point as to the means of achieving greater security.
• The state-level, regional and local trade associations and chambers of commerce have considerable scope to enter the cybersecurity field constructively and contribute to progress in Connecticut. They need to make cybersecurity a visible, active priority and explore the provision of shared services. They need to demonstrate energy, plans and engagement. There is extensive room for offerings: a basic cybersecurity “kit” for small businesses, descriptions of the core components of a cybersecurity team, communications of technical support and educational resources available, crisis training, financial systems monitoring and operations oversight. Small- and medium-sized businesses need to be cyber secure in order to win business from larger companies that will select the more cyber-advanced competitor.

The document goes on to say effective cybersecurity can give Connecticut businesses a competitive edge and shares some basic points:

• Cybersecurity threats are serious, and there is growing recognition of the damage cyber compromise can inflict on a company and the state;
• Company engagement with business organizations, chambers of commerce and trade associations can help raise awareness and share defense costs;
• Businesses must take action to increase cybersecurity defense capabilities including risk assessment, addressing company culture, allocating financial resources and training; and
• The chances are that we will see significant damage to some Connecticut companies in the future. Companies must plan for and rehearse recovery from cyber compromise.

According to Larry Szebeni, COO of Apex Technology Services, to minimize the risk of a data breach, companies should specifically do all of the following, right away:

1. Cybersecurity training should be performed every six months. It should ideally be live and interactive. Human error is one of the greatest risks to customer data.
2. Auditing and documentation must be performed regularly to ensure systems are secure. This should be done by personnel who don't run the day-to-day operations.
3. Anomaly detection should be running constantly to detect threats as they emerge.
4. Penetration testing (pen testing) shows if systems can easily be reached and breached. Here is a case where such a test might have saved the reputation of two companies. Annual or more frequent pen testing is optimal.
5. An action plan to follow if a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched its response in what is being called a PR catastrophe.

There has been a tremendous increase in cybersecurity incidents. In addition to individual hackers and organized crime syndicates, terrorist groups like ISIS and nation-states like Iran, Russia and North Korea are targeting U.S. corporations and government agencies.

No company can be complacent about protecting customer data and remain in business as the threat is becoming greater, cybersecurity insurance rates are growing and government fines are increasing. The longer an organization waits to deal with these issues, the more peril they will likely be in.

To ensure your organization is as secure as possible, consider the following APEX Connecticut cybersecurity training program included in its comprehensive cybersecurity solution which is the equivalent of the cybersecurity kit mentioned in the Connecticut Cybersecurity Action Plan.

For more information contact Apex Technology Services at 203-295-5050.