Security breaches aren’t new news. In fact, if anything, they are old news. On an alarmingly regular basis, data security breaches at major organizations from IT providers to healthcare organizations to retailers are surfacing, putting customer data and PII at risk. These breaches come at a very significant cost, with the monetary loss from cybercrime reaching nearly $1 trillion last year.
Why is it happening? It’s not because businesses are unaware of the threats. In fact, they are keenly aware, judging from recent research, which reports that most CISOs and other IT leaders expect to experience breaches over the next year. Specifically, they say there is a:
- Likelihood of a data breach of customer data in the next 12 months: 80%
- Likelihood of a data breach of critical data (IP) in the next 12 months: 77%
- Likelihood of one or more successful cyberattacks in the next 12 months: 86%
One of the challenges is cybersecurity is largely unregulated and there are generally no required minimum security controls, so businesses are largely left on their own to manage their security resources. One option would be to mandate specific security measures, which would require massive oversight and constant review and take significant effort to implement and maintain.
The State of Connecticut, however, took an alternative approach in the absence mandated security programs, hoping to motivate businesses to implement appropriate security measures. Last month, Governor Ned Lamont signed HB 6607, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” into law.
The law hopes to drive good security practices among the state’s businesses by limiting their exposure to court-prescribed punitive damages – if they have “created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework.”
The idea is that, if businesses can protect themselves from having to pay punitive damages by complying with clearly defined cybersecurity standards, they may be more likely to take appropriate steps to protect their networks, devices, and data. That includes the implementation of proven security solutions and working with professional MSPs with expertise in security services.
Cybersecurity programs that fall under these guidelines will follow current versions of the following security framework standards.
- The “Framework for Improving Critical Infrastructure Cybersecurity,” published by the National Institute of Standards and Technology (NIST);
- NIST special publication 800-171;
- NIST special publications 800-53 and 800-53a;
- The Federal Risk and Management Program’s “FedRAMP Security Assessment Framework”
- The Center for Internet Security’s (CIS)“Center for Internet Security Critical Security Controls for Effective Cyber Defense”; or
- The International Organization for Standardization and the International Electrotechnical Commission’s ISO/IEC 27000-series of information security standards.
As these frameworks are revised to keep pace with evolving threats, businesses will have six months to adjust their security programs following new publications to be considered compliant. The law goes into effect October 1, 2021.
We already know the rate of cyber attacks has increased significantly over the past 18 months. The FBI reported as much as a 400% increase in reported attacks during the pandemic, and Interpol also noted a significant increase and expects the trend to continue.
This action by the State of Connecticut is a step in the right direction and should push more businesses towards ensuring their cybersecurity strategies are documented and followed. Connecticut is now the third state to have enacted incentive-based legislation to drive cybersecurity best practices, along with Ohio and Utah.
Edited by Erik Linask