February 02, 2016

CISA: What You Should Know About the New Information Sharing Act

The federal Cybersecurity Information Sharing Act of 2015 (CISA) was recently signed into law – and the timing couldn’t be better.

CISA was created to improve cyber security in the United States through the systematic sharing of information about cyber security threats.

Protecting confidential information from cyber criminals is a huge issue for everyone today.

Hundreds of Threats Per Minute

“There are 80 to 90 million plus cybersecurity events per year, with close to 400 new threats every minute, and up to 70% of attacks going undetected,” said Sarbjit Nahal, managing director of Bank of America Merrill Lynch in a welivesecurity.com post. Citing a Merrill Lynch report, he said that up to one billion data records were compromised in the U.S. in 2014.

The cost of cyber crime keeps rising too. The 2015 Ponemon Institute Cost of Cyber Crime Study: United States, showed that it increased 96% between 2010 and 2014. Every year cybercrime costs companies between $1.9 million and up to $65 million each. Plus, the per capita cost is significantly higher for small organizations compared to larger ones ($1,571 versus $667).  

Organizations Are Not Prepared

Most respondents in the 2015 Global Cybersecurity Status Report from ISACA (Information Systems Audit and Control Association) said that cyber attacks are one of the top three threats facing organizations today – but only 38% felt prepared to fend off a sophisticated attack.

Share Threat Indicators

While CISA won’t solve all the problems, supporters believe it will help.

The act rallies businesses and the federal government to share threat indicators and other cyber threat activity. The Department of Homeland Security (DHS) will share information if warranted – to ultimately warn other companies.  

Unlike privacy legislation, CISA is a voluntary bill so organizations decide whether or not they share information. At the same time, the law grants full immunity from government, private lawsuits and other claims that may arise from sharing private data.

Real-time cooperation will be essential, commented security expert Brian Krebs, krebsonsecurity.com. Hackers can strike fast, and information is needed right away.

CISA final policies and procedures will be issued in June 2016.

Here are best practices in cyber security:

  • Develop a cyber security policy, and support a culture of security from the top down.
  • Assemble the right team headed by a Chief Information Security Officer (CISO). The biggest impediment to properly managing breaches, said Krebs, is a fundamental lack of appreciation from the organization’s leadership on down for how much is actually riding on technology.
  • Use a security risk assessment to identify vulnerable areas and to create – and update – a data breach response plan.
  • Ensure all employees receive security training.
  • Protect the organization’s network and hard drives. Regularly monitor, review and update information security practices, systems and software.
  • Partner with a document destruction company for secure e-media and and hard drive destruction. Confidential information should be 100% non-recoverable.

A comprehensive document management program protects electronic information from creation through to destruction – to minimize the risk of a data breach and support online security.