Opinion I

When it comes to cybersecurity, the time to talk is over. The time to act is now.

Cybersecurity – Protecting Information — Now!
The increasing threat to private and sensitive data requires constant monitoring and appropriate precautions. The time to talk about cybersecurity is over. It’s time for governments to act.

The ever-increasing threat to private and sensitive data requires constant vigilance and appropriate precautions and controls. All too frequently, data is lost, stolen or accessed by unauthorized individuals. Whether intentional or accidental, the consequences can be devastating — ranging from negative publicity to the more serious breach of a person’s identity.

The passage of breach-notification laws across the country has brought a new awareness of cybersecurity. No longer is the discovery of an information breach kept secret. It now has broad ramifications, which include — but are not limited to — the loss of public confidence, as well as an impact on the bottom line.

Yet, despite the recent focus on these breaches, many executives may not be aware of their organization’s policy — if there is one — as it relates to who has access to private or sensitive data, and when and how they access it.

We are all responsible for protecting the information in our care. It is no longer acceptable to leave the issues of access and transport to technical staff. Senior management must get involved. A proactive role provides sound leadership. And it’s more cost-effective to proactively manage the issue than to respond, and recover from, a breach from an unauthorized disclosure.

It’s essential to address the protection of data — both in transit and transport and at rest. Here are some starting points:

Step 1: Making Policy

The main thing is to just get started. If you don’t have a policy, create one. Ensure that your organizational policy clearly addresses access to and transmission, transport, and storage of private and sensitive information. The policy must include the appropriate method for the disposal of media used to store private and sensitive information. Data classification is another key component. Without it, it’s difficult to know what to protect.

Management should be concerned about removable storage devices. Notebook PCs, thumb drives, cell phones and MP3s have exploded into mainstream culture. While these storage devices have greatly enhanced the convenience of sharing information, without appropriate security procedures, they can be the source of much consternation and potential damage. Ensure that you have a clear policy on removable storage devices: whether they are allowed and, if so, under what circumstances.

Although creating a policy may take some time, you can start immediately by querying your staff to identify who has private and sensitive data, and where and how it is stored. In other words, take an inventory. Consider issuing a stop-gap procedure that establishes the minimum requirements necessary to transmit, transport or store private or sensitive data. You don’t have time to lose. You must act now.

Step 2: Identifying Processes

The second step involves identifying and implementing appropriate security methodologies. It’s imperative to implement encryption, two-factor authentication and other methodologies to protect data. Look to industry standards for appropriate encryption and other methodologies. Good security procedures will include a combination of multiple methodologies.

Step 3: Checking Compliance

The third step is to monitor compliance with the policy and procedures. Make sure that the policy is implemented.

The moral of the story is that the time to talk is over. The time to act is now. So get started!

Learn more about how to implement cybersecurity in the booklet “Local Government Cyber Security: Getting Started,” available through the MS-ISAC (Multi-State Information Sharing and Analysis Center), Local Government Committee. Visit www.msisac.org for more information.

William F. Pelgrin is the director of the New York State Office of Cyber Security and Critical Infrastructure Coordination and the chair of the Multi-State Information Sharing and Analysis Center.

Oct 31 2006