In 2003, California adopted one of the first cybersecurity laws in the U.S. The legislation required businesses to notify customers if they suspected they had been the victim of a breach. This created a domino effect with 47 other states adopting similar laws, drastically changing cybersecurity across the country.
Once again, California has positioned itself as a leader in the effort to make U.S. business more cyber-secure. California’s Attorney General Kamala Harris recently released the California Data Breach Report, which discusses the types of breaches that companies face in California and the frequency of those breaches. Due to the personal privacy implications of a breach for any company’s customers, AG Harris argues in the report that state governments need to do much more to ensure that companies are providing reasonable security. The report proposes that, in order to better protect company data and customers’ privacy, businesses operating both in California and across the country adopt the Center for Internet Security’s list of 20 controls for effective cybersecurity defense, the CIS 20.
Understandably, tension often exists between government and business when new regulatory policies are proposed or enacted, and this is no different with cybersecurity policies. Businesses may feel that they are being forced to implement policies that will cost too much or harm their business. However, in this case, by implementing the CIS 20, any company with a cyber presence will not only better protect their customers’ information, but their own business interests as well. In the long run, implementation of these 20 controls will significantly improve security for companies and help protect them from the consequences that a breach could have on their reputation and bottom line.
While all 20 measures are important, there are 4 especially crucial controls that companies should ensure are part of their own cybersecurity policies and strategy.
CSC 4: Continuous vulnerability assessment
It is critical for companies to regularly adapt to evolving threats and to continuously test their systems for cybersecurity weaknesses. Businesses often make security updates to their own network, but many times, daily core business matters may take precedent and push network testing and updates to the wayside. As a first step, companies need to be sure that a baseline assessment is made of their security measures combined with a network penetration evaluation, where an outsider tests the network. These measures provide a strong starting point for businesses to develop their own continuous vulnerability assessment process.
CSC 6: Maintenance, monitoring, and analysis of audit logs
Similar to vulnerability assessment, analyzing audit logs to better understand the potential threats to a network is a full-time commitment. Hackers rely on the fact that many businesses collect audit logs and do not analyze them or fail to collect them entirely. As a result, hackers can remain invisible to businesses and attack networks without victims even knowing. Actively reviewing audit logs helps businesses stay one step ahead of attackers, which could be the difference between catching an attack or operating with a compromised system.
Scheduling audit log evaluations is one way for a business of any size to ensure they are continuously reviewing network activity. However, finding and scheduling the time necessary to review audit logs is a tedious task that often is neglected. In order to avoid placing this important task on the backburner, companies can turn to a managed services provider to review logs daily for any abnormalities. Another option is utilizing advanced analytics and correlation in order to identify any clear signs of user level or network intrusions. Reviewing these audit logs is essential to improving an organization’s cyber awareness and protecting their networks. If a company can’t find time to do this regularly, turning to an outside company or tool is imperative.
CSC 13: Data protection
Most businesses hold sensitive information like credit card numbers, social security numbers, and addresses, but these are not always guarded as closely as they should be. Cloud-based storage is a huge convenience for business owners, but for customers it is not always the most protective. CSC 13 recommends password protections and data encryption, popular ways to protect data in the cloud that your business may already utilize. Most importantly, these protection mechanisms should include automated tools to periodically check if data is presented in clear text.
Using an automated program not only makes this examination process simpler for businesses, but it also means that the system will be continuously updated. Similar to vulnerability testing, it is not sufficient to secure your data once and hope it stays protected. As threats change daily, protection against them must change as frequently.
CSC 19: Incident response and management
Many businesses focus their energies on preventing breaches and stop there, but prevention is not enough: a strong security system addresses what happens after a breach occurs. Honest incident response and management is critical. Without these, customers’ data is not truly safe, and CSC 19 offers a system for businesses to identify breaches, control the damage and move forward after the fact.
Breaches often go unnoticed, allowing them to do further damage. Many times when they are noticed, businesses choose to cover them up for fear of a ruined reputation or angry customers. However, these shortsighted choices can be costly in the long term, and they often stem from quick decisions and a lack of internal communication. CSC 19 recommends that businesses have a clear reporting process and create a chain of communication after an attack, appointing specific team members to be the main contacts for who to turn to if you suspect a breach.
For smaller businesses that lack the internal capacity to create a breach communication chain, partnering with an outside incident response team could be a huge benefit. Having additional eyes to watch over the network could make the difference between responding to a breach right away and minimizing damage and letting an attack go unnoticed, burying your business with the high costs of taking care of the incident later.
As the number of breaches continues to grow, there will be increasing pressure to hold organizations accountable for the data they possess. California has begun to take the lead on this, finding a balance between consumer protection, corporate responsibility, and government regulation. However, it is now up to the remaining U.S. states to follow California’s lead and implement similar measures.