As the number and severity of cyberattacks happening around the world continues to increase, many organizations are looking to their governments for protection. However, with cyber criminals working around the clock to identify new ways of exploiting vulnerabilities to access files, data, cash and more, regulators are constantly lagging behind, raising the question - does regulation offer a realistic way to catch up?
The world is in crisis. Data shows that, every day, at least 30,000 websites are hacked worldwide, and approximately 300,000 malware programs are created to disrupt and gain unauthorized access to digital systems. Attacks such as viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks and more are causing organizations to lose data, financial assets and their reputations. No wonder they’re increasingly looking to their government to protect them. But how?
Focusing on the Target
It’s practically impossible to stop hackers from perpetrating attacks – they tend to be anonymous, work remotely, and act so fast that by the time an attack has been detected, they have disappeared, usually without a trace. So, the focus of legislation and regulations is necessarily on the would-be target organizations, ensuring that they take the necessary measures to protect themselves, and the people they serve.
In the USA, for example, HIPAA, the Gramm-Leach-Bliley Act, and the Homeland Security Act require healthcare, financial, and government entities to ensure the security of their computer systems and data. The consequences of not doing so may include fines, or even prosecution of the relevant officers.
Clearing up Inconsistencies
Where regulations are in place, they can be complicated and even inconsistent, which is especially challenging for an organization that is active in multiple jurisdictions. Here again, active steps are being taken to provide more certainty around cyber security obligations. In the EU, for example, the Digital Operational Resilience Act (DORA) is set to create consistency across EU countries in regulations relating to risk management, cybersecurity, incident reporting and third-party oversight, by the end of 2022.
In another initiative, the non-profit Cyber Risk Institute has created a Financial Services Cybersecurity Profile for use as the benchmark for cyber risk assessment. Built on the 2020 recommendations of the World Economic Forum’s Fintech Cybersecurity Consortium, the Profile has consolidated over 2,300 regulations from global financial services hubs into fewer than 280 diagnostic statements. As well as being a unified approach to assessing cybersecurity risk, it gives financial institutions one simple framework to rely on.
Getting People Talking
Another way in which government can protect organizations from cyberattack is by gathering intelligence so that potential attacks can be predicted, and the necessary steps can be taken to avoid them. This requires communication between attacked entities and government, yet data shows that government agencies in the USA are only informed about 30% of attacks on the private sector. It’s not hard to understand why – fear of embarrassment, investor suits, law enforcement probes and irreparable damage to reputation all weigh heavy on the minds of corporate decision-makers. But it does mean that there is no visibility of, or intelligence about, the remaining 70% of attacks.
One way to encourage regulatory reporting is to provide legal cover for those who do so. The USA has taken this approach in new federal regulations requiring critical providers - utilities, banks, energy providers and other sectors - to alert the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a major cyberattack or 24 hours of a ransom payment. This protection should help close the type of visibility gaps that were evident in the SolarWinds attack, in which it became clear that the federal authorities had little to no insight into the nation’s IT infrastructure.
Another factor affecting people’s inclination to report is how easy it is to do. Israel’s world-first Computer Emergency Response Center – established by the National Cyber Directorate – makes it as simple as picking up the phone. The fully-manned hotline is available to assist anyone, whether a private citizen, corporation or public entity, in the event that they are hit by a cyberattack. The USA and Romania have since set up similar services, with encouraging results. In June 2019, for example, three Romanian hospitals were hit and each called the National Center for Response to Cybersecurity Incidents’ 1911 number. With the benefit of three near-identical reports, the cyber experts realized that this was a coordinated attack. Having consulted with Israeli authorities as to how to proceed, they alerted all hospitals to take specific steps, and those who reacted quickly were protected.
Closing the Gap
While all the initiatives mentioned above are encouraging, in reality there’s no hope of regulators ever catching up to hackers. What’s more, whatever incentives or punitive measures are put in place to encourage compliance with cyber regulations, a firm grasp of cyber issues is essential if decision makers are to take effective, timely action to protect their organizations.
And ultimately, it is really up to organizations to protect themselves. It’s been proven time and again that humans are the weakest link in any organization’s cyber defenses. As a bare minimum, cyber awareness training should be provided to people throughout an organization, so that they can understand the risks, where vulnerabilities might lie and how they can avoid inadvertently, through their own ignorance and inexperience, exposing their organization to cyberattack. With knowledge and experience (gained in a safe environment) we can close the gap between us and the hackers.