Stepping back from the latest cybersecurity headlines, there are many conclusions to be drawn looking across the last couple of years.
First, there’s the lack of mandatory reporting and the limits of voluntary reporting. Second, the lack of real protection for the personal information we’ve entrusted to various companies. Third, the clear indication that CEOs and corporations still aren’t paying enough attention to cybersecurity issues; perhaps because there’s been a startling lack of real penalty for failing to protect information from hackers. Finally, there’s a need to recognize that securing information is hard work on an ongoing basis.
It’s a truism of security that no product is a “silver bullet” to put an end to attacks. Another industry truism says security is a journey, not a destination.
There are few regulations that require organizations to report data breaches, especially those outside financial services and health care. Is it any surprise that companies are reporting breaches years after they occurred? How many unreported breaches will never surface? Without mandatory reporting, some breaches will never be reported. And without efforts to investigate the root cause of various frauds, voluntary reporting requires regulators and the public to trust corporations and their executives.
Unfortunately, we now have several examples of companies delaying their reporting. These delayed reports are likely the tip of an iceberg with respect to unreported data breaches.
There’s always been a clear need for regulations requiring the disclosure of data breaches and hacks that impact company operations. The challenge has been that breaches like this often have little or no impact on the company itself. With credit card information, the impact is mostly on the customers and their banks. And businesses have been successful in pushing back on cybersecurity regulation along with the general resistance to new regulation of the last several years.
National reporting requirements are critical. The current lack of these requirements has already started to cause problems. These should pick up on the best of what states have in place already, and not limit what has already been done.
Additionally, we’ve seen a value when banks have to talk about their information security programs on an annual basis and disclose to regulators and boards what their program looks like. Every publicly traded company should be required to talk to the board at least once a year about their information security program.
It is difficult to agree on the appropriate timeline for reporting. Some believe you should disclose the next day, while others point out it takes time to investigate. But recent examples demonstrate that two years is too long.
The Data Security and Breach Notification Act was recently introduced to Congress, the act includes suggestions for organizations to report within 30 days. This helps to establish a reasonable state for debate and discussion around reporting and puts us on the path toward a uniform national reporting requirement. Certain industries, especially those tied to critical infrastructure should be considered for even tighter requirements.
Lack of real protection
Many companies aren’t protecting the information they have accumulated. Companies routinely ask for information about us: our credit cards, sometimes Social Security numbers, and other information they don’t need. And we give it to them. Then they hold on to more of that information for much longer than needed.
Any information that can be used for financial gain or fraud is now a target. And hackers have figured out more ways to monetize information - from ransomware to extortion scams. Estonia’s digital government initiatives are trying something very different; they are storing information only once, and managing access based on need. Instead of my data getting copied to every company that wants it, companies access the data where it is, when they need it.
In one recent headline, a company paid the hackers to delete the data they had stolen. It’s not clear why they believed the hackers would delete it. For the hackers, getting a certain paycheck and then continuing to sell the data in the usual places has appeal. It’s very unlikely authorities are ever likely to find evidence that the hackers did or did not delete the data. Any individual experiencing credit card fraud may never connect it to any specific breach which might include the same credit cards and personal information.
What is clear from the number of breaches is that companies aren’t protecting information well enough. Companies need to invest in protecting information they manage commensurate with its value – not just the value to the company, but also the value to various attackers. They also need to understand that attacks are inevitable, and that it’s very hard to keep a significant breach quiet for very long.
Again, there is a serious need for uniformed requirements for data protection. The FFIEC requirements for risk based decision making led to a lot of innovation in authentication for online banking. A similar risk-based requirement for public companies to protect the data they manage could lead to a lot of innovation in data protection.
Lack of attention
The number of breaches and associated press releases show that company executives aren’t providing the resources and attention needed for cyber issues. While new, significant hacks come on a regular basis, there’s been a significant rise in attacker capability over the last 10-15 years.
Throughout that time, various executives should have become more aware of cyber concerns and begun to address them. Boards, executives, and regulators have generally missed the opportunities to invest at a more gradual rate, and now need to spend more over the next few years to try and catch up for their prior lack of investment.
One can also wonder at several other elements that are lacking:
· Cyber requirements for SEC-regulated organizations
· Board diligence around cyber issues
· Certification, required reporting, and expected experience and performance for chief information security officers
· Active enforcement and verification of voluntary reporting
· Updates to privacy requirements that are currently based on 1970’s technology
For most companies, the penalties for apparently egregious mistakes in cybersecurity practices have been limited to a temporary decline in stock prices and some bad press. Sometimes a security executive is replaced. Only in a few highly visible examples have other executives paid a price.
Until there are more serious consequences for the companies, not just individuals, breaches like these will continue. Real fines and penalties are needed for the most egregious cases. And being called before Congress is not nearly bad enough.
Information security takes hard work
Statistics show the difficulty of securing information:
- The number of breaches.
- The number of security-related startups.
- Security-related mergers and acquisitions.
- The number and types of cybersecurity jobs.
- The sheer number of competing products around almost every aspect of information security.
Despite numerous books on every aspect of cybersecurity, there’s no cookbook everyone can follow for building a great security program. Companies need to integrate cybersecurity considerations, from risk management to a strong defense to understanding adversary activity, into their business decision making processes.
Senior executives and the board should be talking about the information security program at least annually. They need to overinvest for the next few years to recover from prior underinvestment. And they need to adjust to a new normal that includes ongoing cybersecurity considerations in almost all aspects of their business as more business activity and the technical underpinnings of the business are connected to the Internet.