In the spring of 2020, SolarWinds Orion, popular system monitoring and management software widely used by the U.S. government and thousands of private companies, was hacked and infiltrated with malware.
Later in the year, it was found that as a result of the hack, sensitive data was compromised within many enterprises including the Securities Exchange Commission (SEC), Pentagon, Department of Homeland Security, State Department, Department of Energy, National Nuclear Security Administration, Department of Justice, and the U.S. Treasury. Additionally, Fortune 500 companies, downstream of such agencies and their services, were also affected.
The widespread theft of intellectual property and personal information – affecting both individuals and businesses – is concerning. It warrants a heightened awareness, followed by action, to control the risk of future data compromises.
On January 28 we celebrated Data Privacy Day, an internationally recognized initiative focusing on raising awareness of the importance of protecting the privacy of personal data online. And it could not have come at a better time.
Your data. Your privacy.
Public and private networks are still recovering from the SolarWinds breach, along with a sustained legacy of cybersecurity breaches that put our data at risk.
Data Privacy Day was part of a global effort to build awareness about the importance of data, its privacy, and to encourage proactive planning to protect it. In the years ahead, this event will continue to serve the same purpose.
Sensitive data is everywhere. It can be found on our phones, in connected devices, and within a wide and deep array of data repositories found everywhere nowadays. Hacks and compromises are malignant and come from where you’d least expect, when you’d least expect them. An effective defense starts with a strong awareness of the criticality of your data and its privacy.
Understanding cybersecurity risk
The prevalence of cybersecurity risk and the importance of strong data privacy protections are supported by an overwhelming sentiment from businesses and individuals alike. For example:
- The Pew Research Center found 81% of consumers believe the risk imposed from the collection of data from companies exceeds the benefits.
- RSA reported that 64% of Americans blame companies, not hackers, for the loss of personal data.
- Research from TrustArc found that 45% of Americans think online privacy is more important than national security.
- Cisco said that a whopping 97% of firms say they realize benefit in allocating resources to data privacy; this includes a competitive advantage and investor appeal.
Managing risk
An important question then is how should we protect our data and adequately manage cybersecurity risk?
Adopting a privacy framework helps manage risk while creating a culture of privacy. There are several notable frameworks to consider. These include:
- The National Institute of Standards and Technology (NIST) privacy framework: This is a voluntary tool that provides a blueprint and approach, intended to help organizations identify and manage privacy risk and build innovative products and services while protecting the privacy of individuals.
- The American Institute of Certified Public Accountants (AICPA) framework: The framework incorporates system and organization controls (SOC) related to an organization’s enterprise-wide cybersecurity risk management program through which CPAs report.
- ISO/IEC 27701 – International Standard for Privacy Information Management: This international standard helps organizations meet new robust data protection requirements, including the European Union General Data Protection Regulation (GDPR). It also helps firms manage privacy risks related to personally identifiable information (PII).
- The Cybersecurity Maturity Model Certification (CMMC): This program was recently announced by the Department of Defense (DoD) as a framework for the enforcement of the department’s existing Defense Federal Acquisition Regulation Supplement (DFARS) requirements. DFARS cybersecurity requirements were implemented in late 2017 to provide security protection for controlled unclassified information (CUI) as provided by the NIST SP 800-171 standard. CMMC’s goal is to improve cyber hygiene of the Defense Industrial Base (DIB) and others with a formal audit program for compliance.
A spotlight on CMMC
The CMMC program deserves spotlight consideration as it is new and noteworthy in the context of cybersecurity and the protection of intellectual property critical to national security.
The CMMC framework consists of five maturity levels – Level 1 through 5. Each level is a progression from basic cyber hygiene (level 1) up to an advanced level (level 5). CMMC sets formal standards for the maturity – the level of institutionalization – of cybersecurity practices within an organization. Under this framework, businesses that handle sensitive data cannot get by with ad hoc or ill-defined protections. They must formalize their practices such that effective protection is baked into their day-to-day operations.
The CMMC framework applies wide and deep to all contractors – prime contractors as well as subcontractors – who conduct business with the DoD. Contractors must attain at least the basic Level 1 certification. Previously firms could self-attest as to their cyber security compliance. Now contractors must achieve certification via a certified and independent third-party auditor prior to being awarded a defense contract.
This action by the DoD to raise the bar for all of their contractors is apropos in the wake of such events as the SolarWinds software hack. It calls attention to the importance of cybersecurity and data privacy.
What is your plan?
All we learned by our reflections on Data Privacy Day, and the factoids above, these are important takeaways – not just for the present, but importantly for the future, as we march forward at a time when risks to our privacy are at the forefront of public discussion and concern.
Even beyond Data Privacy Day, enterprises and individuals must continuously reflect on their own blueprint of protection to safeguard data privacy. Such a blueprint is best built using established frameworks to safeguard data and networks and instill a culture where security is everyone’s job.
For hackers, when one door of vulnerability closes, another opens. Our data is always vulnerable to compromise. Safekeeping of data relies on our awareness and our proactive measures to manage and successfully control cybersecurity risk and ensure privacy.