2014 contained a series of high profile data breaches, including the recent Sony breach in relation to the Hollywood film release of The Interview. It is expected that globally 2015 will focus further on fighting privacy and cybersecurity issues.
In the U.S., after a year of significant privacy and information security regulatory enforcement, litigation, and legislative activity at both the federal and state levels, President Obama has recently announced the proposal of new cybersecurity legislation (as further discussed elsewhere in this newsletter). The proposal includes (i) the promotion of cybersecurity information sharing including targeted liability protection, (ii) federal legislation intended to simplify and standardise data breach reporting requirements, and (iii) legislation aimed at protecting student information by prohibiting companies from selling student data for non-educational purposes.
Similarly, in the UK, David Cameron announced on 16 January 2015, new measures to guide UK businesses to combat cybersecurity challenges. The new measures include a revised version of the “10 Steps to Cyber Security” guide on how to stop common cyber-attacks, and improved cybersecurity information and advice for businesses. The UK government’s National Cyber Security Programme has been developing a variety of policies and goals to improve the country's strength and resilience. Furthermore, there is ongoing discussion in the EU in respect of a proposal for a Cyber Security Directive concerning measures to ensure a high common level of network and information security across the EU.
Overall, and certainly in the UK, the industry consensus is that businesses should stop worrying primarily about preventing intruders getting into their computer networks, but concentrate instead on minimizing the damage they cause when they do. Experts believe the answer is to focus efforts on effectively detecting security breaches and then responding as speedily as possible. However, it must be stressed that whilst increased recognition of security at board level within a firm is reassuring, it is important that this information is filtered down to those who manage the business and that internal training programs are devised in order to ensure privacy and cybersecurity are properly deployed.
One important technique to make life harder for hackers is “network segmentation.” This involves separating one part of the network from another in such a way that if hackers get on to the network they only get access to the data in that segment and no more. The downside of this method is that it may be inconvenient for employees on a day to day basis and productivity would potentially suffer. Improvements in encryption methods, if integrated with network segmentation, will undoubtedly be valuable for companies because, although they are not insurmountable, together they certainly present an considerable obstacle which will hamper a hacker’s progress and could be enough to make them look elsewhere.