5 lessons we learned from Obama's new cyber security framework

On Wednesday, US President Barack Obama's administration issued an executive order aimed and setting out a comprehensive framework for the nation's cyber security.

The framework is designed to help operators of critical infrastructure develop up-to-date and effective cybersecurity programs. It's a voluntary scheme, but it's hoped that it will help improve cyber awareness and overall security.

According to the text of the order, "It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties."

But what exactly does it include, what advice does it contain, and could it help your business?

We count down the top five most important points in the new cyber security framework to see what they can tell us.

5. Good security is good business

According to one White House official, one of the framework's main goals is to help "companies prove to themselves and to their stakeholders that good cybersecurity can be the same thing as good business."

Increasingly, companies with poor cyber security are risking more than just their business secrets, their customers' data and the integrity of their networks. Today an enterprise with a laissez-faire attitude to cyber security are risking their very existence.

From Adobe losing its "crown jewels" to US retailer Target causing problems for countless customers, cyber security is something to be taken seriously, and a threat that can do very real damage to your customers, your credibility and your bottom line.

4. Prioritising and planning is key

One of the terms used over and over again in the order is "critical infrastructure". But what does that mean? According to order, "the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."

When drawing up a cyber security strategy, you have to identify what critical infrastructure means for your business. Could your business keep going if the website was brought down in a DDoS attack? Would it mean the end if customer data was breached and leaked online?

Make sure you know the risks, and take steps to protect yourself before the worst happens.

3. Share information

Obama's executive order says "It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with US private sector entities so that these entities may better protect and defend themselves against cyber threats."

We have a similar scheme at work in the UK too. In business too, information sharing between departments is crucial. If HR have been noticing some suspicious activity on one computer, how can you tell if this is simply an anomaly or part of a system-wide infection, without a system of logging and reporting cyber security breaches?

Proper security can sometimes mean sharing information outside the organisation, too – but of course only when appropriate. If you suffer a data breach for instance, it's time to seek outside help. The police need to know, and so do your customers. Look at the example of Australian dating site owner Cupid Media, which suffered a huge data breach with 42 million unencrypted passwords and failed to tell its customers, thus exposing them to the risk of identity fraud.

2. Get the experts on the case

One key aspect of the order is that "In order to maximize the utility of cyber threat information sharing with the private sector, the Secretary shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis."

In business, it's also key to bring in people who know the field of cyber security, who can help advise you on how to stay secure, conduct regular penetration testing and even train employees on how to resist social engineering attacks.

Without knowing the latest best practice, it will be impossible to implement proper security.

1. Give incentives to be secure

Businesses participating in the US government programme will be provided with reasons to take part and take the programme seriously. According to the order, "The Secretary shall coordinate establishment of a set of incentives designed to promote participation in the Program."

In your business, you'll face similar challenges when implementing a cyber security strategy. You need to find ways to engage employees and make cyber security matter. After all, protecting the company's network can seem like quite an abstract concern when employees have deadlines for projects or key performance indicators to fulfil.

Rewarding employees who do well in random social engineering pen tests, even get employees to try to socially engineer each other, or holding tongue-in-cheek shaming of employees with poor security practices could help bring the message home.