Peruse a newsstand these days and it is easy to see how cyberattacks remain a persistent global challenge to consumers, businesses and governments alike. Headline-making events like the recent Equifax, Deloitte, and Securities and Exchange Commission breaches, as well as recent ransomware events, demonstrate the diverse and far-reaching impact of cyberattacks. With the U.S. National Cyber Security Awareness Month and European Cyber Security Month now underway, more attention needs to be devoted to combating this ever-growing threat.
Each October, governments and businesses work to enhance corporate and individual awareness of cybersecurity issues and defenses. But this year, we should consider formalizing a more collaborative, public-private partnership. Our best tool in the toolkit is a collective approach – with flexibility, proactive educational initiatives, and regulatory consistency – to remind individuals we all need to work together to counter this threat.
Cyberattacks are a constantly evolving threat, and bad actors are very good at adapting to new technology and defenses. Threats can be intentional or unintentional; they may come from an internal or external bad actor; a third-party may be the chosen avenue for entry; and the motivation for such activity can vary. Because of this, businesses and governments must be allowed to deploy flexible, risk-based approaches to their unique cybersecurity needs.
While working to enable flexible plans for countering these attacks, we must take advantage of opportunities to educate the American people. The October awareness campaigns are designed to improve attentiveness when it comes to cybersecurity issues and defenses. In particular, the Department of Homeland Security has taken a proactive approach to educating the population on cyber risk, providing tools and resources that help individuals understand how their devices are connected to the internet, how their networks are secured, and how to recognize good website links versus bad ones.
Moreover, businesses should utilize the month of October to assess their vulnerabilities and procedures for protecting corporate and consumer information and to ensure that their employees are fully aware of company protocol. Detailed risk assessments, employee training sessions and tabletop exercises are just a few of the educational options available to employers to inform their workforce.
Finally, flexibility and a proactive, alert population are essential, but a uniform, consistent regulatory framework is also required. If state governments and the federal government developed this type of approach, it would maximize efficiency and resource utilization as well as enhance consumer protections.
Currently, data security is largely governed on a state-by-state basis. However, many multi-state businesses, insurance companies included, do not limit their security approach to individual state operations. Rather, most apply a holistic, system-wide information security program that is not differentiated by state jurisdictional lines. As the landscape of legislative expectations for minimum data security obligations unfolds, state and federal governments need to pledge more consistency in design and implementation.
Flexibility, education, and collaboration, are three simple, commonsense steps that – if taken – will move us to stronger, more secure, ground when it comes to defending against future cyberattacks. This October, if we deploy these three strategies, the ability to change next month’s headlines is in our hands.
Angela Gleason is senior counsel at the American Insurance Association.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.