Despite more than two decades of efforts, computer and data storage breaches continue unabated. Washington State, for example, released annual statistics showing 280 data breaches in 2020 (including one breach that impacted more than a million customers) in Washington State alone. The report also detailed a large uptick in cyberattacks, and ransomware incidents.
As a result of seemingly never-ceasing efforts by cybercriminals, cybersecurity protocols continue to evolve. For example, the National Institute of Standards and Technology (“NIST”) recently announced a new framework for cybersecurity and ransomware risk management. Nearly every state has a statute or regulations that require government agencies and private businesses to take reasonable state-of-the-art steps to secure data collected and stored. The NIST standards are one of the benchmarks used when evaluating whether a government agency or private company has satisfied current state-of-the-art standards with respect to cybersecurity. For example, the US Department of Defense requires its private contractors to meet NIST standards when complying with cybersecurity requirements.
The new NIST framework is an effort to simplify how companies and agencies should “frame” cybersecurity issues because the actual protocols are very complex. On the one hand, organizations need a “high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.” But, at the same time, an organization needs a simplified framework with respect to how to understand what it is “seeing” from the “high-level, strategic view.” In this way, an organization can better assess its mitigation and recovery readiness and gauge and manage its risks. The Framework provides a simple-to-understand five-word list of core cybersecurity objectives: identify, protect, detect, respond and recover.
On a practical level, NIST provides a long list of steps that “fit” into each part of the overall framework. A few examples include:
- Audit and identify all systems and connected devices — identify
- Differentiate data as high, medium and low risk — identify
- Disallow personally-owned devices — identify and protect
- Disallow personal use of organization-owned systems — identify and protect
- Prioritize protection of high risk data such as data that allows person identification — identify and protect
- Segment networks and firewall — protect
- Allow only specific user activity and installation of apps — protect
- Use multi-factor access protocols and other protections — protect
- Assign, monitor and manage authorization and access credentials — protect and detect
- Never stop using antivirus and other security software — protect, detect, response and recover
- Update and patch constantly — same
- Monitor continuously (both passively and actively) — detect, respond and recover
- Actively block access to malicious activity — respond
- Constantly train employees at the appropriate level — detect, response and recover
- And more
Some of these evolving security protocols are already being put in place. For example, the Department of Defense recently modified its cybersecurity certification program for DOD contractors. Contractors have already been categorized into three levels of risk based on the data they collect and to which they have access. For the lowest level risk level, the DOD is making it easier for the contractors to obtain and maintain their certifications. If you have legal questions about data security, how to respond to data breaches and ransomware attacks or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100.