A quick Google will show you that the frequency, severity, and cost impact of security breaches are all continuing to rise worldwide. There’s also been a recent increase in attacks on public infrastructure — such as schools, hospitals, and manufacturing plants, which had previously enjoyed an unusual position garnering relatively little attention in the cybersecurity world.
At this point, it’s becoming very clear that pretty much nothing is off limits to threat actors. Along with that, it’s clear that what we’re doing in the cyber community to stem these attacks is not working.
Dark Reading reported last month that cybersecurity experts are predicting government regulation in the cybersecurity industry is going to increase as a response to increasing attacks. This week, we’re taking a look at why that’s likely to be true.
How Have Businesses Responded to Increasing Threats?
For the businesses that haven’t yet suffered a high profile breach, there seems to be very little change in their approach to security. Many companies still mistakenly assume they are not a target for threat actors, and they’re generally failing to take adequate steps to protect themselves against security incidents.
Companies fail to prepare themselves for a variety of reasons. There are certainly plenty of folks out there who get breached because they’re ignorant of the risks they face. Companies that try to cut costs tactically with security are also frequently breached as a result of the gaps created.
However, there are also many companies that are unprepared for cyber attacks because of fatigue. They hear about the breaches every day, and some get almost fatalistic. They don’t believe they’ll be able to stop a breach, so why bother trying?
If that’s your mindset, then you need to get off that bandwagon as soon as possible, because it’s absolutely untrue that breaches are unstoppable. In reality, there are basic things that you can do that make it much less likely for you to experience a breach. And if you do experience a breach, the severity of the breach will be significantly reduced.
Government Responses to Increasing Breaches
On the government front, we’re seeing a different stance. Governments, NGOs, and other regulatory organizations are indeed beginning to notice that cybersecurity is something that businesses are really struggling with. The costs of the resulting breaches both in the public and private sector are so high, governments have no choice but to take action.
There’s been a flurry of activity on the regulation front over the last 10 years, with most of it geared towards establishing cybersecurity standards for businesses. This is happening globally — it’s not just in the U.S.
New regulatory organizations have been developed in recent years. Lawmakers around the world are starting to consider and even pass legislation and regulations, specifically around privacy and ensuring that basic security controls are getting implemented.
However, given that cybersecurity is a highly complex and technical topic, regulating the industry poses a challenge for lawmakers. Many of the current policy attempts have proven to be difficult to implement, and in some cases technically impossible.
EU Data Privacy Framework and TikTok Bans
The EU Data Privacy Framework is a perfect example of how cybersecurity regulation has struggled. The aim of the Data Privacy Framework is to ensure that businesses are implementing adequate controls when they exchange individuals’ personal or private information.
And while it has good intentions, the EU Data Privacy Framework and its predecessors have been mired from the start in court battles and legal fights. There’s an opportunity there for regulation, and the framework is heading in the right direction, but it just hasn’t proven to be effective yet.
American legislators have also attempted to ban certain applications and companies, including TikTok, from doing business in the U.S. Although I do think this was well-meaning and not completely without merit, these bans haven’t held up in court because they violated free speech rights in the U.S. Constitution.
Legislation Targeting Reporting Deficiencies
It’s clear from these examples that lawmakers are generally very ill-equipped to regulate the cybersecurity space, and that they need to be cautious in order to be able to implement effective legislation. However, recent legislation in the U.S. targeting reporting deficiencies has shown some promise.
There’s been a rash of companies not reporting their breaches in a timely manner, including Equifax and Uber. Like with insider trading, people were abusing inside knowledge about breaches to sell stock before it tanked.
Regular or institutional investors didn’t have a chance to compete against those with insider knowledge. And when these breaches involve sensitive customer data, such delays can leave individuals open to attack without the information needed to proactively protect themselves.
This legislation lays out reporting requirements that get out in front of those who may know about a breach, so that they’re unable to take some sort of action ahead of other potentially affected investors.
Only time will tell how effective this legislation will be, but it’s fairly short, concise, and targets a very specific deficiency. Hopefully, it can be an effective example for lawmakers to follow in the future.
Is Government Regulation the Answer to Breaches?
While many regulation attempts have been clunky, I still believe it’s the best way forward. I’m always hesitant to advocate for increased government regulation, but I do recognize that self-regulation isn’t working for our industry.
Barely a day goes by where I don’t encounter a business leader who believes they can’t be breached. It’s shocking. And because the frequency, cost, and severity of breaches is still rising, it’s clear that the cybersecurity industry isn’t doing enough on its own to prevent breaches.
I get it. Security is hard. And people are predisposed to take the easy road. So, unless we as professionals can find a way to make security the path of least resistance, I don’t see a way to avoid increasing cyber regulation.
I would also like to see more support from governments and NGOs to help protect businesses from attacks with nation-state backing. Some of these threat increases are driven by rogue nation-states, either by funding the activity or by outright perpetrating attacks.
Largely speaking, the U.S. government and NGOs are standing by and allowing this behavior to continue. There need to be more sanctions and more direct action to deter these countries. Right now, most of these threat actors, quite frankly, are acting with impunity. They feel like there’s very little consequence to their actions and that’s why they’re perpetrating this kind of attack.
North Korea is a perfect example. They’re funding state activity by stealing crypto wallets and cryptocurrency, and there seems to have been little activity to combat that. North Korea is already sanctioned, and countries aren’t willing to escalate beyond that to punish their behavior.
Moving forward, regulatory agencies will have more success building policy if they also engage the cybersecurity community for information and guidance. There should be experienced cybersecurity professionals acting as strategic advisors and partners at the table during conversations about building regulations.
Involvement from the security community would significantly help to reduce the pitfalls and inconsistencies that have plagued these policies to date. The security community is well equipped to identify these shortcomings up front, which would make for a smoother transition and easier adoption by businesses and other organizations.
Black Kilt is Here to Help
Our experienced professionals have deep expertise in security. We also understand that we can’t trade business capability or functionality for absolute security. There needs to be a balance, taking a risk-based approach. Sometimes, it’s enough to identify and accept specific risks, with a monitoring policy in place.
Our team knows what options are available. We will work with you to understand your organizational capabilities and requirements and create a security strategy that provides maximum protection and recovery capabilities without breaking the bank. Contact us today for a free consultation.