While the Cyber Incident Notification Act of 2021 and the Cyber Incident Reporting Act of 2021 (amendments to the Homeland Security Act of 2002) haven’t passed the Senate, the concept of requiring businesses to report cybersecurity incidents to the U.S. government is still alive.
Here’s a summary of what the Cyber Incident Notification Act of 2021 would require:
“Critical infrastructure owners and operators to report cybersecurity incidents to CISA within 72 hours, but also direct state and local governments, businesses with over 50 employees and other organizations to notify the federal government within 24 hours following a ransom payment, in connection with a cybersecurity incident.” Alston & Bird.
Recent cyberattacks that targeted high-profile companies and critical infrastructure, like SolarWinds, Colonial Pipeline, and JBS, have profoundly impacted “regular” Americans, not just CEOs and their PR firms. Large-scale attacks have put people on edge, but has that angst translated into understanding IT as a whole-business problem? After seeing the impact on production and the costs associated with the attacks, have critical industries invested in their people, processes, and technology to improve their cybersecurity posture? Or does it take legislation to change the way businesses prepare for and respond to cyber incidents?
Is forced transparency the answer?
Can transparency around cyberattacks and ransom payments lead to better cyber defenses, faster recovery, and make it easier to catch cybercriminals? Maybe a 24 to 72-hour post-attack notification timeframe would give federal agencies better odds of identifying the culprit(s), intercepting payments, and bringing criminals to justice?
Would more transparency around attacks offer greater protection to organizations and citizens alike?
Or will it make companies try even harder to bury any cyber incidents and ransomware payments? Because let's face it, cyberattacks, data breaches, and enormous ransom payments are not only debilitating, but they are also embarrassing. Everyone from the CEO to Board members to IT teams is usually reluctant to reveal the source of their costly vulnerabilities.
People tend to trust that the companies handling their personal data and supplying daily essentials (power, water, food) have everything under control—until they experience the fallout of an attack (long gas lines, stolen identities, higher prices). Consumers realize they have skin in the game when there are massive ransom payouts. As a result, their confidence in the business deteriorates rapidly, and they grow even more frustrated when cybercriminals skirt justice.
Many customers assume cyberattacks reveal leadership failures and blame the attack on a lack of intelligence, preparation, training, or the executive being a ‘cheapskate.’ With increasingly sophisticated cyberattacks on the rise, why haven't companies learned from each other about how to protect their digital assets?
Would additional notification requirements compel executives to prioritize cybersecurity? James Madison wrote, "If men were angels, no government would be necessary. If angels were to govern men, neither external nor internal controls on government would be necessary." He was describing a system of legislative checks and balances, but his words hold true for business executives as well. If executives were happy to disclose breaches and security insufficiencies for the common good and better prepare other organizations from experiencing the same mishaps, then there would be no need for legislation to force disclosure. But does the proposed legislation place an undue burden on organizations already in turmoil after an attack in the name of national defense?
Can we agree that sharing intelligence about cyberattacks is a "best practice" for developing a robust security posture?
Beyond the Blame Game
Data is valuable. Operational efficiencies are even more so. Are executives solely to blame for unseen vulnerabilities that can destroy functionality in a moment, or are they indeed victims?
The inability to recover quickly from a cyberattack is a symptom of not elevating cybersecurity to a business problem. In the court of public opinion, the top executives receive the blame. But the blame is dispersed across the organization when the costs of investigation, remediation, and ransom payment add up. The result is a culmination of mistakes—from lax security protocols, half-hearted security training, shared passwords, untested data backups, employees with too much access to data, reliance on a single firewall, intelligence gaps, and assumptions that IT has the budget and expertise to manage everything.
Blame will not restore operations any faster. Preparing an incident response plan, complete with dry runs, tested data backups, and clear communication around roles and responsibilities will prevent a highly stressful incident from splintering your organizational structure. When you can control and contain the attack quickly, it will be easier to mitigate negative consequences. Ownership and action are far better protection strategies than mandated compliance.
Cyberattacks are Inevitable
While cyberattacks are inevitable, providing the best protection for your infrastructure is an executive responsibility. Maybe you were targeted for your good looks, money, or product schematics. But more than likely, a cybercriminal found an easy way into your systems either by setting social engineering traps for your employees or by bombarding your IT team with false alarms. The result? The actual attack became just another alarm sounding in the cacophony of alerts.
What has your company learned from the mega-breaches of the last ten years? How do you structure your digital defenses so that a cyberattack is merely a setback rather than the unraveling of your infrastructure? The first step to protecting your organization is to incorporate your IT leadership into the Boardroom because cybersecurity is essential for growth, maturity, and brand protection. And a second step is to have a third party, free from in-house biases, evaluate your systems and infrastructure for cracks.
Do you already have security experts available to help you prepare for cyberwar by focusing on the battles you can win? Do you have a team dedicated to improving your security posture, with the experience to stabilize, direct, advise, promote, and understand how deploying disparate tools can impact the entire environment? It is often in the best interest of stakeholders to bring in a Managed Service Provider to evaluate your IT environment, infrastructure and stabilize your IT foundation for security and scalability.
Can transparency bolster protection?
While you may not escape the claws of cybercriminals, your customer base may be more forgiving if you follow generous notification procedures to lessen the impact on their personal lives. No one likes to be deceived and caught off guard when applying for a credit card, only to get rejected and learn that their PPI was stolen in a breach that was never revealed to them. Or to wait in a long gas line, feeling thoroughly uninformed about a restoration timeline.
As the victim of a cyberattack, you can try to bury the attack. But try to reject the trend of deflection. Instead of figuring out how to spin the breach, be honest—you may be the key contributor to bringing malicious cybercriminals to justice. You expose how important the cybersecurity link is between your business and your consumers by telling your story.
A better path to recovery after a cyberattack:
- Admit the attack and take care of your customers – i.e., offering free credit monitoring
- Accept full responsibility for the vulnerability and invite a third party to aid in remediation efforts
- Implement new cybersecurity protocols into your daily operations and bolster your security posture
- Salvage your brand
Offering discounts and free trials of your products will not build consumer confidence. The truth is refreshing. People love to follow a good disaster and recovery story. Every story needs a hero, and you can choose to be that hero. Fight the enemy—even when that enemy is nearly impossible to find and even harder to punish. Time will tell if your story resonates. Profitability will be your gauge.
Your transparency can help others build a more robust cyber defense by revealing the actual costs and the time and effort it takes to remediate an attack. Discuss the difficulty of finding in-house IT expertise—every business owner can relate to that. When business owners are willing to open the discussion to the community and government entities, the information shared will also end up protecting themselves.
Bring in Cybersecurity Experts
TBConsulting, a Managed Security Service Provider in Phoenix, Arizona, has extensive experience helping organizations remediate systems after an attack and bolster their security posture. TBC’s cybersecurity experts, systems engineers, and network architects can bring deep visibility into your operational and technical environment to reveal vulnerabilities. TBC will manage remediation efforts and provide continuous Security Monitoring services to reduce your risk. If you are worried that your cybersecurity defenses are not prepared for a full-scale attack, please schedule a Security Posture Assessment today.