As the battle against cyber security and online threats continues, we’ve been monitoring conversations around how security trends impact organizations and policy makers across our nation. This week’s events demonstrate the importance of the topic of cyber security, not just for organizations and individuals, but for government authorities as well.
Moscow-based cybersecurity firm Kaspersky Lab has become a leading authority on American cyber security threats, but sources within the company say it has hesitated at least twice before exposing hacking activities attributed to mother Russia. “Some companies think we should be stopping all hackers. Others think we should stop only the other guy’s hackers – they think we can win the war,” said Dan Kaminsky, chief scientist at security firm White Ops Inc. Eugene Kaspersky said his company has never been asked to step away from researching an attack. He also said his team would not be swayed by any country or officials interests. However, several Kaspersky Lab employees say otherwise. As governments spend more money on network threat protection, they will continue to make connections with cybersecurity companies.
This week the federal government announced its plan to let businesses take the lead in creating standards for cyber threat information sharing. Andy Ozment, Homeland Security assistant secretary for cybersecurity and communications, tells Information Security Media Group,”It won’t look exactly like the effort to develop the cybersecurity framework, but it won’t be dramatically different, either,” He says. “The outcome is that the private sector will again have convened and come up with a set of best practices.” Last month ISAOs called an executive, signed by President Obama to identify best practices for security. However, The Department of Homeland Security is taking a different approach, DHS will hold competitions to select private-sector groups known as ISAO standards organizations to develop the guidelines for the creation and operations of ISAOs. Ozment says, “ultimately it will be up to the private sector to say, ‘These are the practices that we think matter most that constitute an effective ISAO.'”
Since 2011, the Securities and Exchange Commission has encouraged companies to evaluate the various risks against its operational and financial programs. However, as the latest breaches continue to evolve, companies’ investors still view cyber security as a less important topic, often folding it into other legal issues. Cyber threats don’t usually generate much investor attention than other risk factors. According to Fortune, “If companies are spending to improve cyber security, investors might expect to see increases in capitalized software reported in the balance sheet. Companies aren’t required to disclose the nature of their capitalized software, however. Even if there are noticeable increases in capitalized software, investors can’t be sure that they relate to improved data security. Any hardening costs that affect earnings might get rationalized in the quarterly earnings call, but it’s certainly not a trend.”
Earlier this week, The Online Trust Alliance (OTA) wrote a letter to Congress earlier in response to President Obama’s proposed Personal Data Notification & Protection Act. The group also wrote that any law should “contain an appropriate coverage of personal information triggering notification obligations. The group stated, “As an individual’s online worlds grows and expands, as our next generations spend more and more time socializing, communicating, gaming, shopping, banking, and researching online, so must the protections afforded to them.” The organization lists six points why its important to complete a federal data breach notification law.