As the 13th annual National Cyber Security Awareness Month closes and data breaches and botnets are again dominating the headlines of the U.S. election and the business pages, it’s worth taking stock once again of how we can best move forward, encourage strong data security and build a more trusted internet. In most cases, the weak link in security is human error – people make mistakes that leave their accounts vulnerable. That’s why the National Cyber Security Alliance (NCSA), in partnership with the White House and more than 30 companies and organizations, has led the Lock Down Your Login campaign to educate people about how to make their accounts more secure through strong authentication and better password practices.
But strong cybersecurity cannot rely on consumer behavior alone. Businesses themselves must also raise their game in order to ensure that they protect and safely store sensitive consumer data. Most businesses genuinely want to handle customer data entrusted to them responsibly, but it’s not as easy as it sounds. Small businesses in particular may struggle to know how they should handle customer data. What is a “reasonable” level of cybersecurity for a company to invest in? How should companies – particularly small companies with limited resources – appraise the cyber hygiene of third-party vendors that they rely upon for important business functions?
Like the theme for National Cyber Security Awareness Month, protecting small businesses is a shared responsibility between the businesses and government. Government plays a dual role as an educator and if need be an enforcer.
As an educator, government has produced some great materials and programs; the NIST Cybersecurity Framework, which provides an easily adaptable roadmap for businesses of any size, and the U.S. Department of Homeland security has the C3 program to provide assistance in implementing the framework. Nonprofits like NCSA have created in-person training for small and medium-sized business to help them focus on implementing better cybersecurity practices.
The Federal Trade Commission (FTC) has the government mandate to protect consumer rights, including their data. They are the enforcement agency that holds companies accountable when consumer data is insufficiently protected. They don’t just enforce, they educate as well, and they have done important work in this area. In 2015, the FTC launched “Start with Security,” a combination of materials and events raising awareness in the small business community about the need for strong data security which was very well received. Start with Security is grounded in the lessons learned from the data security cases the FTC has brought against business. In essence, it’s a chance to learn from the mistakes of others. In October, the FTC issued a valuable new resource on data breachresponse so business can act quickly and responsibly in case of a breach. The FTC has a fantastic resource for victims at identitytheft.gov and announced plans for a conference on identity theft in May 2017.
But considering the increasing frequency of large data breaches, and the inescapable fact that this issue is becoming a bigger concern for consumers, it makes sense for the FTC, other government entities and the security community to continue to increase their focus as well on the data security issue. The FTC is a trusted entity and an excellent convener of stakeholders which holds annual workshops on several issues, including microeconomics, macroeconomics, and privacy that are of the highest quality and highly respected. If we are going to achieve data security as an ongoing priority for every business in America, it makes sense to institutionalize the data security discussion hosted by government with broad stakeholder participation with the goals of keeping current on the better and best practices about how to improve data security and protect customer data and trends in security threats and defenses.
NCSA always works in the spirit of collaboration knowing that bringing our shared interests and knowledge to the table helps us find the way forward. When it comes to data security, it’s time to work toward institutionalization, and the FTC sits in a right and unique spot to convene and facilitate a discussion on an annual basis.