Attracting and retaining experience IT professionals will be essential for the private sector to address cyberthreats.

Even though awareness around the risks posed to businesses from cyberthreats is growing, spending to increase cybersecurity in the private sector is lagging.

According to a new report and survey from the Institute of Information Security Professionals, current spending is not enough to implement the technology, compliance programs and staff awareness training necessary to abate cyberthreats. The ISSP determined its findings by examining the security budgets allocated at private companies across multiple global sectors, as well as how these budgets have changed following well-documented and widely publicized incidences of cyberattack.

The report found two-thirds of the companies surveyed increased their cybersecurity spending following data breaches such as those seen at businesses including Target and Anthem. However, the report concluded that even businesses that are increasing their investment are not doing so at a level that matches the growing risks they face. These include threats related to external attacks, insider misuse, low staff awareness and technical device and service proliferation.

"Increased spending is vital for attracting and retaining IT professional with adequate knowledge and experience."

Increased spending is especially vital for attracting and retaining professionals with adequate knowledge and experience to oversee successful internal cybersecurity operations, the report found. A widespread shortage of skilled staff was reported, both in terms of number of employees and employees with adequate expertise. Reasons for this included increased competition to attract these professionals, meaning retention is becoming more costly for companies. However, internal factors, including lengthy hiring processes, are also making it more difficult for businesses to recruit and retain talented cybersecurity staffers.

The report concluded there is a "growing problem" in the private sector relating to the increased frequency, variety and sources of cyberattack. Additionally, there is greater reliance on increasingly complex IT systems, often without the security staff and regulatory environment needed to maintain these systems or create a culture of cyber awareness among non-IT employees.

While the report found awareness of cyberthreats has increased, without adequate spending many companies may be experiencing a false sense of security.

Public sector spending goes up but problems remain
Meanwhile, as TechTarget reported, cybersecurity spending in the public sector saw an increase as President Barack Obama included a $19 billion cybersecurity spending bump in his fiscal year 2017 budget. However, as TechTarget contributor Adam Rice argued, spending alone is not enough to implement effective cyberrisk management.

Just as experts in the private sector argue for the integration of cybersecurity awareness into all departments of a company, Rice noted the federal government will need to work to unify its currently decentralized IT departments.

"Many federal departments are comparable to Fortune 500 companies in terms of size and scale," Rice wrote. "They have thousands of employees and millions in their IT budgets."

In addition to increasing compliance with The Federal Information Security Management Act best practices, federal agencies, like private sector businesses, will need to work on increasing interdepartmental communication and matching market-driven compensation in order to attract the most qualified professionals. 

Information security officers and risk managers can work together to select and customize cyber insurance policies.

Cybersecurity insurance, once under the exclusive jurisdiction of risk managers, is becoming an increasingly collaborative experience for both risk and information security officers.

According to a recent report, the purchase of cybersecurity insurance is not only increasing – up 27 percent in the U.S. in 2015 – but the economic damage of a successful cyberbreach is also going up. Previously, traditional insurance policies may have included some coverage of cyber incidences, but now most insurers will require specific cyber insurance policies to cover these vulnerabilities, TechTarget reported.

Industry experts speaking with TechTarget noted that early cyber insurance policies were often very broad. Today, though, cyber insurance offers a range of nuanced coverage, which may include financial protections for data breaches, ransomware attack, forensic teams, notification expenses and other liability costs. Companies with specific risks, such as loss of valuable intellectual property, may also wish to customize their policies further. This is why information technology officers are becoming increasingly involved in selecting an organization's cyber insurance coverage.

Customizing a cyber insurance policy
As Security InfoWatch reported, the involvement of security officers is especially important as businesses navigate the many different policies and price points that are available to them. The number of companies purchasing cyber insurance increased approximately 250 percent between 2013 and 2015, the news website noted, but collaboration with cybersecurity professionals isn't increasing at the same rate.

Working with a security officer affords another advantage as well: It can help to lower the cost of the insurance the organization selects. Security InfoWatch found that many insurers offer lower rates to organizations that take active steps to reduce their risks. One way to do this is to have a cybersecurity program in place before purchasing insurance. This may include employee training on best practices, a breach response plan and internal and third-party audits of corporate networks, cloud providers or other services that access sensitive information. Organizations should also ensure all third-party vendors are complying with internal cybersecurity procedures during their interactions with networks or networked devices.

"Working with a security officer can ensure compliance with the insurer's cyberrisk mitigation requirements."

Reviews by security professionals may be especially important as the cyber risks covered by insurers evolve. According to New York Law Journal, some insurers may offer "stand-alone" policies adapted for the organization's specific needs, while others offer cyber-related provisions attached to other more general policies. Therefore, it is very important for an organization to understand the coverage provided by the specific policy it is purchasing, as well as the liabilities it must assume. 

For example, if companies fail to follow the requirements laid out in their policy – such as not properly securing their servers or training employees on mitigating cyber risks – they may nullify their insurance coverage. Information security officers should be able to review the insurance policy and ensure all required actions are completed.

Additionally, organizations need to ensure they have purchased adequate coverage for their risks. As the Journal noted, following the notable breach of Anthem in 2014, the company exhausted its cyber insurance coverage through credit reports and notifications for affected customers alone. An information security officer will be able to help risk managers access the appropriate level of coverage for the organization.

New OSHA regulations require employers to establish protections for employees reporting work-related injuries.

The Occupational Safety and Health Administration has issued its final ruling on modernizing injury data collection in workplaces, requiring employers to meet electronic recordkeeping guidelines for reporting workplace injuries and illnesses and making such records publicly available.

Under the new rule, employers in high-hazard industries will be required to send injury and illness data to OSHA to be posted on the agency's website.

"The final rule prohibits employers from discriminating against employees for reporting injuries or illnesses."

"Our new reporting requirements will 'nudge' employers to prevent worker injuries and illnesses to demonstrate to investors, job seekers, customers and the public that they operate safe and well-managed facilities,"  Dr. David Michaels, Assistant Secretary of Labor for Occupational Safety and Health, said in a statement. "Access to injury data will also help OSHA better target our compliance assistance and enforcement resources at establishments where workers are at greatest risk, and enable 'big data' researchers to apply their skills to making workplaces safer."

As Business Insurance reported, this rule affects organizations with 250 or more employees in industries covered by OSHA's existing recordkeeping regulation – meaning those who submit 300, 300A and 301 forms each year. Additionally, the rule includes businesses with 20 to 249 employees in high-risk industries, such as agriculture, forestry, construction and manufacturing.

Information for 2016 must be submitted by July 1, 2017. Information for 2017 must be submitted by July 1, 2018. Beginning in 2019, data will need to be submitted by March 2 each year.

Internal changes
OSHA's new regulation requires employers to implement an employee injury and illness reporting system that meets specific criteria. This includes the following:

  • Creating a way for employees to promptly and accurately report work-related injuries and illnesses
  • Anti-retaliation protections so that employees do not feel discouraged or deterred from reporting injuries or illnesses
  • Informing employees of their right to report work-related injuries and illnesses

The final rule also explicitly prohibits any employers from discharging, punishing or discriminating against employees for reporting injuries or illnesses.

By August 12 of this year, employers will be required to have formal programs in place for informing employees of their right to report injuries and illness in a way that does not discharge or discriminate against employees for reporting.

According to Lexology, risk managers may wish to review these policies before implementation. Certain aspects, including safety incentive programs and post-accident drug testing, could be considered discriminatory actions under the new OSHA ruling.

If drug testing, or the threat of drug testing, is only administered to employees who report injuries or illnesses, it would be considered an action that discourages reporting. Employers are advised to limit post-incident testing to instances in which drug use was likely to have contributed to the accident and can be accurately identified.

Incentive programs, such as those where employees can win a prize if they are not injured over a set time, may also be considered detrimental if they encourage the under-recording of injuries and illnesses. Using incentive programs to impair accurate recordkeeping is also prohibited under the OSHA rule.