I read two articles today discussing how to provide protection from cyber attacks, but in two very different ways.
The first comes from the government, which has been focusing on cyber incidents for a while, but now it appears that Congress want to give the president power to take control of the Internet in an emergency. According to a CNET News article, under the Protecting Cyberspace as a National Asset Act (PCNAA):
the federal government's power to force private companies to comply with emergency decrees would become unusually broad. Any company on a list created by Homeland Security that also "relies on" the Internet, the telephone system, or any other component of the U.S. "information infrastructure" would be subject to command by a new National Center for Cybersecurity and Communications (NCCC) that would be created inside Homeland Security.
One of the hopes of the NCCC and the legislation is that perhaps now federal agencies will take cyber security more seriously. It also recognizes the potential threats that the Internet and our globally wired world present and gives the president power to make decisions to defend the country.
The second article talks about the need for cyber insurance for enterprises to protect against the fallout from a data breach. The article, by David Navetta and posted on InformationLawGroup.com, explains how the University of Utah was denied coverage for a security breach involving 1.7 million records, information that was stolen through the negligence of a third-party service. According to the article, it appeared that neither the school nor the vendor had cyber coverage. Navetta then pointed out the importance of companies protecting their assets:
Most cyber insurance companies provide coverage for "breach notice costs," including mailing costs, credit monitoring and call center expenses. In addition, most cyber policies provide coverage if the security breach happens to one of the insured's service providers. That coverage would have addressed the vast majority of the expenses incurred by the University (most cyber policies, however, probably would not provide any coverage for the personnel hours expended internally to address the breach). The moral of this story is if you are an organization that handles a lot of personal information (or other sensitive information), regardless of how secure you think you are (and by now everybody knows that there is no such thing as perfect security; breaches are a matter of when and how bad at this point), you should seriously consider cyber insurance in your risk management mix.
I'll repeat Navetta's comment: There is no such thing as perfect security. Therefore, we need to take advantage of any opportunity to stay protected as best we can.