Information Sharing Can Help Fortify Your Cybersecurity Strategy

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/information-sharing-can-help-fortify-you-94322/

Having strong cybersecurity policies is critical for protecting a company's
business, as the amount of commerce conducted over networks and the
Internet increases each year. Last month the Congressional Research Service
released a paper about cybersecurity information sharing and how it can
help companies, both large and small, improve their cybersecurity efforts
to decrease preventable breaches. The paper, along with other industry
research, is recommended reading for leaders of any business that deals
with internet-based transactions.

The Financial Impact of Security Breaches

The Center for Strategic and International Studies estimates that
cybercrime costs the global economy between $375 and $575 billion per year;
this calculation takes into account the hundreds of millions of people
having their personally identifiable information (PII) stolen plus the
damage companies and the global economy face as a result. The 2014 Ponemon
Institute Cost of Cyber Crime Study calculates that the average cost of
cybercrime for U.S. companies has increased 9% from 2013 to 2014. Expect
these numbers to climb as more PII and business records are stored
digitally.

The Benefits of Sharing Cybersecurity Information

Sharing information about new threats, best practices, and the effects of
an attack can have the following benefits:

- Businesses, particularly small businesses, can prepare for and protect
themselves from attacks and breaches.
- Can have a positive impact on a company's reputation in the industry –
being seen as a team player and as a good corporate citizen will encourage
other companies to follow suit.
- Helps prevent duplication of work, meaning that the money saved on
security development could be diverted to different security measures or
other company needs.
- "[i]s arguably integral to national security and economic growth, and
people may choose to share information even when it goes against the
balance of their near-term economic incentive to foster a more secure
nation and a more productive economy." (Congressional Research Service
paper, p. 7)

Corporate America Sometimes Reluctant to Share Cybersecurity Information

One reason companies have been reluctant to share information about their
security and data breaches is due to worry that doing so will violate
privacy and/or antitrust laws. The government is aware of these concerns
and "has provided guidance that it will not consider generally accepted
cybersecurity information sharing to be anticompetitive behavior."
(Congressional Research Service paper, p.4)

Another oft-cited reason for not sharing cybersecurity information is
concern about decreasing sales numbers and falling stock prices. Target,
victim of a massive 2013 breach, saw its stock prices increase 19% in the
three months after the data breach was publicly revealed. Costco, Walmart,
and Best Buy, three of Target's biggest competitors, saw their stock prices
drop during the same time period.

Avenues for Sharing Cybersecurity Information

The SEC requires publicly traded companies to disclose information that has
a "substantial likelihood that the disclosure of the omitted fact would
have been viewed by the reasonable investor as having significantly altered
the 'total mix' of information made available;" however, neither the SEC or
court system has mandated when a company must announce that information.

The Information Sharing and Analysis Center (ISACs) program was enacted in
1998 to create private sector, non-profit entities that collect, analyze,
and share information on cybersecurity threats and best practices with its
members. There are ISAC groups for different industries and they share
information anonymously with the government and other members of the ISAC
group. Membership is not mandatory, but it can cost money depending on the
level of membership the company desires.

Congress has also attempted to pass legislation that would incentivize
companies to share information. Three unsuccessful bills were introduced
during the 113th Congress that introduced incentives for sharing
information that ranged from tax credits to assurances that certain
information would not be subject to public disclosure.

Summary and Takeaways

- Cybercrime is increasing each year and costs the global economy hundreds
of billions of dollars every year.
- Sharing cybersecurity information has benefits ranging from preventing
future attacks, decreased expenses, and fostering a positive reputation in
the industry.
- Some of the fears of sharing cybersecurity information may be unfounded.
- ISACs provide an avenue for sharing information anonymously with the
government and other companies in the same industry.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!