Siobhan Gorman penned an excellent article in Friday's The Wall Street Journal, discussing how alleged contracting omissions led to a successful cyber attack by Iranian hackers. According to her article, the Navy failed to "require it to provide specific security for a set of Navy Department databases, and as a result, no one regularly maintained security for them."
The alleged contracting omissions illustrate one of the key, but often overlooked, defenses the private sector has against cyber threats -- assigning responsibility for security via contracting. Too often, companies merely sign agreements with software vendors, hardware manufacturers, and even cybersecurity providers without considering the terms and conditions of their agreement with respect to who is providing security and for what.
The failure to integrate security as a baseline component of information technology contracting can easily be the first crack in the foundation used to protect against cyber threats. If parties to an agreement fail to clearly spell out cybersecurity responsibilities, then you may as well wind up with a situation where everyone assumes a system is being protected, but it actually is not.
Given the brutal reality of cyber threats -- namely that basically everyone is under attack -- failing to undertake some basic blocking and tackling is certain to cause major problems at a later date. Smart businesses, in contrast, will make sure to clearly spell out who is responsible for providing cybersecurity under the terms of their agreement. That way, responsibilities are clear, and with any luck simple breaches will be cut back.