The new cybersecurity directive is the first to propose mandates for securing data. Here’s what that could mean for SaaS firms…
In recent years, report after report has highlighted how cyber attackers have made short work of accessing everything from personally identifiable information to research data and other intellectual property. Reports show that hackers have targeted healthcare since 2014. Russia is suspected of a series of cyberattacks during the COVID-19 pandemic, and the U.S. Department of Health and Human Services reported that there were 642 healthcare data breaches in 2020, exposing over 27 million patient records. These incidents highlight the ongoing threat of cyberattacks and the need for increased security measures to protect sensitive data.
3 Steps Companies Can Take to Prepare for the National Cybersecurity Strategy Proposal
- Build a cybersecurity program using a globally accepted cybersecurity framework.
- Implement data privacy controls using guidelines from GDPR and CCPA.
- Implement fundamental cybersecurity best practices such as encryption at rest, IDS/IPS, regular vulnerability scans and annual penetration testing, etc.
The Biden administration has made cybersecurity a clear priority. While every administration since 2008 has issued Presidential Directives on cybersecurity, the current strategy is the first to propose mandates for securing data and making organizations liable for not implementing cybersecurity controls.
This strategy has important connotations for SaaS businesses and impacts the steps they take to improve their security posture.
What to Know About the Proposed Cybersecurity Strategy
The Biden-Harris administration’s proposed National Cybersecurity Strategy aims to close the current gap between compliance standards and government regulations. Many private entities comply with cybersecurity frameworks such as SOC 2 and ISO 27001 that require preventive security controls, such as continuous monitoring and regular vulnerability assessments. However, these frameworks are optional.
While government organizations implement privacy laws such as GDPR and CCPA, they haven’t released laws that require private organizations to implement specific cybersecurity measures.
The proposal recommends implementing several cybersecurity strategy best practices. These include:
- Expanding the use of minimum cybersecurity requirements in critical sectors.
- Defending and modernizing federal networks.
- Updating federal incident response policies.
- Engaging the private sector in disruption activities through scalable mechanisms.
- Addressing the ransomware threat through a comprehensive federal approach.
- Shifting the liability for software products and services to promote secure development practices.
Engaging the private sector and shifting liability of cybersecurity to software products and services is a major change in the U.S. government’s cybersecurity strategy. By shifting liabilities to private software products and services, the U.S. government can hold private entities liable for not implementing certain cybersecurity controls.
For example, if the new strategy were to become law, it could potentially make it illegal for organizations to collect sensitive data without encrypting it. Currently, when private organizations don’t comply with security controls from compliance frameworks, they simply don’t receive their certification or report.
Under the new proposal, organizations could be fined or even face legal ramifications if they do not comply with the security controls required by the U.S. government. This could upend the entire tech industry, and suddenly, many organizations would become out of compliance if they don’t have the necessary security measures in place.
How the National Cybersecurity Policy Impacts SaaS Companies
It’s important to note that the strategy is not yet a law but a policy document, so it doesn’t change how we deal with cyberattacks as of now.
Still, the proposal’s shift of liabilities to software products and services is likely to ring alarm bells for SaaS business owners. Currently, consumers are responsible for software vulnerabilities that result in cyberattacks. For example, if a user downloads new software that introduces a vulnerability and allows access by an attacker, the software manufacturer is protected by the software licensing agreement signed by the user accepting the risk of liability.
Under the new strategy, however, the software producer would be liable for enabling the vulnerability to be introduced to the user’s computer. If this strategy is signed into law, SaaS businesses will need to reallocate funds and other resources to cybersecurity to comply with government regulations. This change will require new roles, responsibilities and assets in cyberspace.
What SaaS Companies Can Do to Prepare for the New Cybersecurity Strategy Policy
To best prepare, organizations should implement some fundamental cybersecurity controls and follow best practices. If an organization is already complying with some of the most common frameworks such as NIST 800-53, SOC 2 or ISO 27001, then they are already one step ahead.
There are however three actions organizations can take right now to prepare for this potential law, and those include:
- Build a cybersecurity program using a globally accepted cybersecurity framework.
- Implement data privacy controls using guidelines from GDPR and CCPA.
- Implement fundamental cybersecurity best practices such as encryption at rest, IDS/IPS, regular vulnerability scans and annual penetration testing, etc.
Currently, private entities are responsible for securing the majority of U.S. citizens’ data. Shifting liabilities to software products and services is a major change to protect data privacy that will significantly strengthen the nation’s cybersecurity posture. The proposed National Cybersecurity Strategy is a significant step in promoting secure development practices and protecting data privacy.
While the strategy is still in the proposal stage, it has the potential to shift liability from consumers to software producers. That means SaaS businesses need to begin adapting their focus and resources now, both to comply with future regulations and to ensure their cybersecurity posture is strong — regardless of what happens at a national level. By implementing minimum security requirements, modernizing your networks and updating your incident response policies, you can take a giant leap toward protecting your company from attack.
Click here to view the original post on Built-In by Rhymetec CISO, Metin Kortak.
About The Author: Metin Kortak, CISO
Metin Kortak is the Chief Information Security Officer at Rhymetec. Metin began his career working in IT security and gained extensive knowledge of compliance and data privacy frameworks such as SOC 2, ISO 27001, PCI, FedRAMP, NIST 800-53, GDPR, CCPA, HITRUST and HIPAA. He joined Rhymetec to build data privacy and compliance as a service offering. Under Metin’s leadership, these offerings have grown to more than 200 customers, positioning the company as a leading SaaS security service provider in the industry.
Rhymetec also offers a range of penetration testing services including:
- Mobile Application Penetration Testing
- Web Application Penetration Testing
- External Network Penetration Testing
- API Penetration Testing
Interested in reading more? Check out our other blogs: