In the wake of exponentially increasing phishing and ransomware campaigns, the Federal government is mulling whether or not to require companies and organizations to report cyberattacks.
Mandatory notification laws at a Federal level have long been a source of disagreement, specifically from Republicans who have traditionally been staunch opponents of new regulations on businesses. Recent high-profile attacks on Colonial Pipeline, which manages the country’s largest fuel pipeline, and JBS, which is the largest meat processor and distributor in the world, have changed minds, at least in the House, and made a more coherent Federal cybersecurity policy an urgent priority.
One challenge that has thus far stymied efforts at law enforcement and reporting has been that many companies neglect to report when they’ve been targeted by cyberattacks. The reasons are many: news of breached or leaked customer data can damage a company’s reputation, the costs of cyber incident insurance policies are continuously increasing, and companies can sometimes be fined or sued for poor cybersecurity practices under laws such as the European Union’s GDPR.
Is forced disclosure of cyberattacks a good or bad thing for businesses?
A disclosure requirement for businesses would almost certainly cause discomfort in the short term. Data breaches and ransomware attacks can and have caused damage to company’s reputations. (It should be noted that this effect has typically been temporary at best: Home Depot, Target, LinkedIn, P.F. Chang’s, Experian, and countless others emerged from megabreaches relatively unscathed.)
More than rising premium costs, negative publicity, the primary short term issue for businesses will be that it will require a greater prioritization on preventing cyberattacks in the first place. This entails greater resources dedicated to training employees to recognize telltale signs of phishing attacks, more money for on- and off-site IT support and a general reprioritization of security over convenience. This will be easier said than done.
In the long term, however, required disclosures will most likely net positive effects. Having more accurate statistics will help law enforcement more accurately determine when new cybercrime campaigns are beginning and how they operate, apply pressure to foreign governments that harbor cybercriminals, and perhaps most importantly, raise the standard and expectation for businesses to follow cybersecurity best practices.
How can companies minimize their risk of cyberattacks?
While threat actors and cybercrime gangs employ a broad variety of sophisticated methods to gain access to their targets, it should be kept in mind that many, if not most, of the larger hacking campaigns in recent years have been attributed to sloppy or lax cybersecurity on the part of their victims. The SolarWinds hack, which compromised several high-level agencies of the Federal government and an as-yet undetermined number of companies and organizations, was found to have been compromised through a single, easy-to-guess password that hadn’t been changed in years, despite the urging of cybersecurity professionals. The Colonial Pipeline hack has also been traced back to a single compromised password.
Creating a culture of security best practices and hygiene won’t stop every cyberattack, but it can greatly reduce the attackable surfaces for companies.
A recent White House memo laid out the following tips for companies:
Backup data and systems, and regularly check them for integrity: Colonial Pipeline initially paid a ransom when their systems were disrupted, but were able to restore access through their own backups instead.
Update and patch systems regularly: As soon as a security vulnerability is disclosed, hackers will often look for any system that is unpatched as a likely target. Keep all systems up-to-date and perform regular audits.
Test your incident response plan: Plan your response to a cyber attack the same way you plan fire drills. Make sure you have a clear set of expectations and a clear chain of communication for everyone in your company or organization.
Check your security team’s work: Security contractors and third parties can help identify weak points in your network that may have gone overlooked.
Segment your networks: Siloing your networks and resources can help contain the damage caused by a ransomware attack and ensure minimal downtime.
Need help structuring a cyber incident response plan or cybersecurity strategy? Nodal can help! Contact us today.