Cyber-Security: Business & Government InteractionsBy Samuel Greengard | Posted 2015-05-19 Email Print
Legal and cyber-security issues are increasingly intersecting. A study shines a light on evolving trends and what business must to do combat threats effectively.
One of the biggest challenges related to cyber-security centers on the connection points between private industry and government officials. Most security analysts and experts agree that over the last quarter-century, the stakes have become greater, and the need for cooperation has expanded dramatically.
How enterprise leaders interact and interface with government regulators, law enforcement officials and other organizations shapes issues as diverse as how the reporting of breaches and other incidents takes place, and how the public and private sectors respond.
A newly released study from law firm Mayer Brown, "Perspectives on Cyber-security and Its Legal Implications," offers insights into these and a variety of other issues. Among the key findings: Nearly two-thirds of respondents (63 percent) considered cyber-issues to be just one more cost of doing business; 57 percent estimated that litigation risks posed by cyber-security issues have a relatively modest impact on their cyber-security planning; and 29 percent believe that cyber-crime will always be one step ahead of legislative protections and enforcement.
Only 23 percent indicated that their company had built a close working relationship with an industry regulator, and 20 percent had had connections to a law enforcement agency.
The study of executives across 15 industry sectors also identified a number of other concerns and problems. For instance, nearly 50 percent of respondents weren't sure if the NIST (National Institute of Standards and Technology) Cyber-security Framework has been helpful to their company in addressing cyber-security risks.
However, 84 percent of respondents said that they expect clear national standards on data breach notification to emerge within the next five years. Only 27 percent indicated that their companies have a separate cyber-insurance policy.
Legal Issues Have Not Been Addressed
Marcus Christian, a partner in Mayer Brown's Litigation & Dispute Resolution practice and a member of the firm's Privacy & Security practice, says that many organizations have not adequately addressed key functional and legal issues, and few have developed a written data protection plan. With industry at a critical junction, organizations must begin to focus on the legal framework, and build stronger ties with government regulators and law enforcement officials.
"Businesses and federal law enforcement agencies have a mutual need to receive timely information from each other," he points out. "For a business, timely information about a threat can make the difference between catching an intrusion before damage occurs and suffering a mega data breach."
For example, in 2014, the United Parcel Service received a government bulletin warning about malware that escaped the detection of antivirus software. After taking action, UPS discovered the malware at about one percent of its locations. "Had UPS not received the bulletin, the harm could have been much worse," Christian adds.
Christian, a former U.S. federal prosecutor, suggests that business and IT leaders develop processes and systems to work with law enforcement agencies in order to spot trends and patterns, identify actors behind attacks, and alert other companies to existing and emerging threats.
"Cyber-crime is not a problem to be solved by one technology, one policy, one company department or one series of activities," he says. "Organizations should approach cyber-security as an ongoing and interdisciplinary challenge that requires active engagement from stakeholders throughout an organization and beyond."