Regulators strike a different cybersecurity tone

A directive issued by the Federal Trade Commission (FTC) that requires GoDaddy to improve the security of its hosting services suggests the Federal government is getting more prescriptive about the guidance being provided to the private sector.

After a series of breaches stretching back as far as 2018, the FTC at the beginning of this year accused GoDaddy of violating Section 5 of the FTC Act for failing to implement standard security practices on customers’ websites despite touting “award-winning security.”

The FTC as part of a settlement has now issued an order that specifically requires GoDaddy to designate one person to be in charge of an information security program, adopt a security information event management (SIEM) or some other tool that provides near-real-time analysis of security events, create a system of audit logs, address authentication issues with certificates, private-public key pairs, or similar technologies, and implement multifactor authentication for employees, contractors and third-party affiliates.

GoDaddy must also submit to an initial review and then undergo evaluations of its security operations every two years by third-party assessors.

While most cybersecurity professionals would agree these measures amount to requiring GoDaddy to adopt a generally recognized set of best practices, the FTC is striking a decidedly different tone than what other government agencies have in the past. Most of the criticism on any private sector organizations has come in the form of advice rather than as a directive.

Additionally, the FTC is engaging in a certain amount of public shaming in the hopes that other organizations that have lax cybersecurity might become more motivated to address those issues before the FTC or some other agency determines there is a need to come calling.

In general, governments around the world are paying a lot more attention to the actual level of cybersecurity being implemented across the private sector. There is now around the globe a better appreciation for the national security implications of widely used platforms. Microsoft president Brad Smith, for example, last year found himself apologizing for lax company cybersecurity practices that were uncovered by the Cyber Security Review Board (CSRB), an arm of the Cybersecurity and Infrastructure Security Agency (CISA).

Federal agencies may not have the resources required to broadly review cybersecurity practices across the entire private security, but the tenor and the tone of the engagements with Federal agencies is changing. There is clearly less sympathy for organizations that fail to implement appropriate levels of cybersecurity. The days when it was unfair to blame the victim of a cybersecurity attack are coming to a close. Now the expectation is that organizations are not only well aware of the risk they face but must also be actively seen taking steps to mitigate them.

Each organization, as a result, should take stock of its current level of commitment to cybersecurity. It’s unlikely anyone from a federal agency is going to show up tomorrow asking difficult questions but in the event of an incident, IT and cybersecurity teams should expect to be asked much more pointed questions about what measures they took to prevent them from occurring in the first place.