Sophos Cloud Optix
The White House is thinking about basically bribing businesses to get them to patch leaky cybersecurity.
According to Politico, the US government is pondering, specifically, tax breaks, insurance perks and other legal benefits for businesses that do some serious overhaul of their digital defenses.
Politico recently got its hands on a May 21 presentation from the Department of Homeland Security (DHS) that raised the notion of such incentives.
The incentives aren’t yet finalized.
They would be designed to entice critical infrastructure players in particular, such as power plants and water systems, to adopt voluntary standards that are now being drafted by government and industry in response to an executive order from President Barack Obama.
The standards will be hammered out by DHS and the National Institute for Standards and Technology (NIST). The bodies will be working with businesses to create a security framework that businesses will, ideally, adopt on their own volition.
Politico pointed out that the financial lures also need to be run through federal agencies, including DHS and the Treasury Department, to determine how tasty the enticements can be, either with or without the help of a Congress that has proved, unfortunately, markedly unhelpful.
The 12-page document from DHS – which Politico refrained from publishing – reportedly mulls not only financial and market benefits, but also legal benefits, including limited lawsuit protection for participating companies.
It’s wonderful to hear about incentives like this, particularly if they might spur organizations into getting insurance that could help to protect them from potentially devastating costs of data breaches or other cybersecurity dangers.
As it is, insurance professionals will tell you that many, if not most, businesses mistakenly think that general liability policies will cover them in times of cybersecurity mayhem.
Such policies won’t, but there are policies that will, and it’s wise to learn about them and know what questions to ask about such policies to make sure an organization is as well-covered as possible.
As Politico reports, experts believe that those organizations that adopt upcoming cybersecurity standards could be well-positioned to get breaks on such insurance, being able to point to the standards as evidence that they’re following best practices.
This is the juicy stuff that could greatly help to improve security postures.
As it is, the Homeland Security page about cybersecurity incentives is as dry as a sun-baked bone.
DHS talks about secure software engineering, security breach forensics, better training and the instillation of personal data “ownership” – all worthy, mind you, but all very blah, blah, blah.
Tasty cash, on the other hand? Much more interesting, I’d wager.
Let’s hope that the Feds can get something done, with or without the help of Congress.
Image of White House and bag of cash courtesy of Shutterstock.
Why should the government bribe businesses to protect their own bloody information technology. They don't bribe businesses to put locks on their bloody doors, do they? If a company is dumb enough to have low level security, they deserve to be hacked!
Your point is well taken, but in all truth the real issue is a chain is only as strong as its weakest link. The companies that get hacked allow a foothold to potentially expose the rest of the world to cyber assault.
Probably because it affects the customers too, in some cases thousands or even millions.
It's not just the store owner now, it's everyone else too.
Better this than getting your data stolen and possibly abused because of someone not being secure enough.
Using public money to get these organisations to do what they should be doing anyway, is just like the postal service charging you extra to insure a package or letter to guard against them actually not bothering to carry out their contractual obligations. What the organisations with weak cyber security fail to grasp is that it's their reputation that is on the line; you can't pass that risk off to an insurance company!
You know who will get the "legal benefits"? Banks!
It will involve something like business' newest best friend, "arbitration" or limited liability for the banks whose business customers get phished and merrily transfer those customers' funds to the Ukraine.
I would love to agree with you, abeastwood, but we're not talking about a company's data, so much as that of its customers. Shame on a private company for being hacked when it could easily have been prevented (no sympathy here), but it's the customers of that company that need some sort of protection.
Unfortunately the majority of consumers lack the ability, knowledge and often even choice when it comes to which companies they deal with. I have to conduct business with a wide range of companies and I don't get to do a personal information security risk assessment on them first.
Sure I wish all companies would get proactive on protecting themselves all by themselves, but if it takes an incentive or two to help keep my information a little more secure and my services a little more protected then so be it. I think it's worth consideration.
How can companies beef up their business security and how can the white house demand this considering the NSA are spying on everyone ? makes no sense to me now that we know the NSA are building other data bases on credit cards and alike.
The government isn't demanding it. This is going to entail voluntary opt-in to the guidelines.
thanks for correcting me Lisa, requesting via an opt-in
To get your security incentive tax rebate, please email in plain text all security measures in place, user credentials, encryption keys, phone records, network details, network usage and proof of a backdoor for future data acquisition to our prism database for review…
Do the “opt-in” guidelines and benefits require creating a backdoor in all this new security for the NSA?
This is a hopeless cause. I was trying to convince senior managements and their staff 30 years ago, and for many years since, to pay attention to IT security. While I achieved some success in my employer's companies (FTSE 100 corporation) I have seen little evidence of any wider attention to the subject. Many of the problems reported on today are exactly the same ones, in management terms, as those we were experiencing in the late 80s and early 90s (after which time I retired).
Incentives are unlikely to be successful. Penalties don't seem to impress.
I suggest a change to corporate reporting standards – require the publication of their security policy and an audit against that with a serious threat of prosecution against the directors and senior managers who fail to provide a satisfactory report in their annual report. On failure they should also be taken apart by independent outside security auditors (who have no other connection with the company) with regulatory supervision until they have put the weaknesses right – and no government contract while that goes on.
This should also apply to government departments, agencies, and public service bodies.
Expensive? Yes, but not half as costly as the losses presently being suffered.