Regulatory attention to data security
Effective regulatory attention to data security at the national level continues to elude us after all these years. For as long as a patchwork of state level and local standards has existed, industry experts have been calling for drastic improvement. According to Dark Reading, the aftermath of the SolarWinds hack may provide the best opportunity for such enactment. Since coming into play, GDPR and CCPA have continued to inspire similar legislation, largely on a state by state basis: recently, Virginia signed into law a second consumer privacy bill. On the federal level, movement has been much sparser, although a new Internet of Things bill requires any IoT devices purchased with government money to meet minimum security standards.
Key complements to any such government assistance would be enhanced detection and prevention capabilities, as well as improved information sharing among entities. The SolarWinds incident revealed the shortcomings of the current state of both, as a legitimate vendor was the source of the breach, and the extended delay in detecting a problem nullified the effect of sharing information.
Improving data security has been a major emphasis during the pandemic and remote working, which only exacerbated already complex issues. While struggling to confront external threats, organizations always have to worry about members of their own staff while out of the office. The latest annual report from Apricorn suggests that 35% of IT decision makers in the UK believe their employees have knowingly increased the risk of a data breach, which is concerning. This correlates with another stat, in which 58% of respondents feel like their remote workforce will heighten their breach risk exposure. Clearly, trust seems to be an issue. For whatever reason, 26% of organizations claim their employees don’t care about security regardless (though this figure is down from 34% last year). The corresponding numbers indicate that 27% of breaches are due to insider negligence, and 15% to remote workers in some way or another.
If there is to be further federal legislation to help organizations shore up their weak points, it must be accompanied by competent and cohesive efforts internally to continue reducing the percentage of staff that doesn’t care about the well-being of the organization’s cyber health. Enhanced detection, information sharing, and supportive regulations are indeed three important puzzle pieces, but a fourth is convincing employees to be invested in data protection.