Tuesday, June 30, 2015

Strategic Minimal Investments in Cybersecurity and IoT

Today’s cybersecurity challenges remind me of “Frog and Toad” children stories, where Frog and Toad are debating how to stop eating all the cookies right away.  They concoct a plan to put the cookies in a jar in a high cabinet where they can’t reach…easily.  But someone can always reach.   You can’t even trust yourself sometimes, so can you trust your buddy? 

Cybersecurity concerns every facet of modern life, from children’s toys to self-driving automobiles and every consumer transaction.  Cybersecurity threats will worsen with the Internet of Things, as millions and billions of sensors will collect and perform comparisons and data analytics to some data center.  Analytics will help move from data chaos to predictive strategies.

Prudent risk management requires diversification of risk.   Consumers and businesses alike need to use caution in approaching investments in sensors and IoT.  Access rights to a sensor that combines sensitive personal data with controls for the household or factory would increase the risks of abuses by employees as well as hostile hackers.

The Department of Justice’s guidebook on anticipating and dealing with data security breaches (Best Practices for Victim Response and Reporting of Cyber Incidents, published April 29, 2015, http://1.usa.gov/1I0QxAl) highlights how every business needs to adopt prudent risk management, particularly supply chain risk management, in their business.  As a contract attorney in technology businesses (and former high school wrestler), I am reminded of my coach’s advice: stick to the basics, and do them exceedingly well, and also anticipate your adversary’s expectations so you have a plan to defeat the “normal” expectation. 

Today, private equity and venture capital (and strategic acquirers) are targeting cybersecurity companies for investment and acquisition.  We all have to buy cybersecurity  or be at risk of tremendous damage to brand goodwill, fines and even monitoring. 

How much should private industry collaborate to deal with privacy challenges?  On one hand the government is offering to share security risk data with private industry (See H.R. 1560, a bill to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats (passed by the House of Representatives on April 22, 2015) and H.R. 1731, a bill to amend the Homeland Security Act of 2002 to enhance multi-directional sharing of information related to cybersecurity risks and strengthen privacy and civil liberties protections (passed by the House of Representatives on April 23, 2015).  The ACLU opposes enhanced sharing as an invasion of civil liberties and inviting private abuses of shared information.

On the other hand, private industry can do that job without yielding data that could be abused.  The flip side of security is the question of trust: whom can you trust, and for how long?

So, for business and consumers, it’s time to consider whether the hassles and additional marginal costs of encrypting data are a better investment than high-premium cyber-risk insurance, traditional loss prevention and recovery methods. 

And, as a matter of information governance and Internet safety, every investment in cybersecurity would be wise.  The simpler the better.