cutimage - Fotolia
The cyber security industry has broadly welcomed a government committee report on an inquiry into the October 2015 data breach at TalkTalk that exposed the personal details of 155,000 customers, but has taken issue with some recommendations.
While organisations can and should do more to protect consumer data, they cannot be left alone to fight cyber crime, said Amichai Shulman, CTO and co-founder of security firm Imperva.
He believes that reducing cyber crime is an important point that is overlooked by the report. “If this criminal incident affecting UK businesses and consumers was important enough to initiate an investigation by a government committee, it should be getting the same attention from a law enforcement perspective,” said Shulman.
The strongest support for the committee’s inquiry report is for calls for better education of consumers about cyber security, greater investment by organisations in protecting consumer data, and linking CEO compensation directly to the data security of a company.
“We wholeheartedly agree with the committee’s conclusions that data breaches are a growing problem and require addressing – including through sanctions – to ensure consumer confidence in the digital economy and to maintain the UK’s world-leading economic position,” said Rob Cotton, CEO at global information assurance firm NCC Group.
“We welcome calls for reporting on security to the Information Commissioner’s Office (ICO) and in company annual reports – just as health and safety are.
“We also echo the committee’s calls to ensure cyber security is a real board-level issue. It is essential to have individual executive responsibility and accountability, and incentives for the CEO to pay attention to the issue.
“It is crucial for businesses to take simple, necessary steps to improve security practices across the supply chain and through security-by-design principles. But it’s also important to recognise that this will not lead to 100% security.
Read more about data breaches
- Drawing on insights from more than 400 senior business executives, research from Experian reveals many businesses are ill-prepared for data breaches.
- Sony will pay up to $10,000 to each claimant for identity theft losses and up to $1,000 each to cover the cost of credit-fraud protection services in connection with a cyber attack in 2014.
- The rise in high-profile security breaches has led to an increasingly worried UK public, calling for 24-hour monitoring of sensitive information.
- Considering that a data breach could happen to any company at any time, a plan of action is the best tactic.
“Therefore, full support for incident management plans and resilience become the critical measures by which to evaluate good cyber security practices.
“We are look forward to seeing how Elizabeth Denham – the new information commissioner – will take up the committee’s recommendations, and how the government will incorporate this into its Cyber Security Strategy later in the year.
“At NCC Group we remain fully committed to playing our part in improving awareness – and crucially, behaviour – around cyber security in businesses across the UK, and globally,” he said.
Fines for reported breach delays ‘not practical’
However, despite broad support for sanctions, some pundits believe that fines for delays in reporting breaches as proposed by the report are not practical. As the TalkTalk cyber breach shows, it can take months before the true scope and nature of a breach is known.
Lack of staff, disparate systems, complexity, lack of audit logs and so on can all contribute to delays, said Javvad Malik, security advocate at AlienVault.
The committee report states that TalkTalk must publish as much of the investigation as commercially possible without delay, and set out how they will implement any necessary changes.
“This in itself is a point many companies should look at as a reference. In the event of a breach, companies should ask themselves if they could conduct an investigation, determine root cause and implement a remediation plan in under eight months,” said Malik.
He said organisations should ensure monitoring and logging controls are in place and effective, they should look to simplify and unify IT infrastructure to make investigations easier, and they should have an incident response and communication plan in place
Due to the potential delays associated with establishing the scope of cyber breaches and criminal investigations, criminal defence and cyber crime solicitor Ernest Aduwa at Stokoe Partnership believes the proposed fines are impractical.
“The idea of serving fines to companies who delay in reporting breaches into their system is a complete farce. There are many very good reasons for such a delay, such as a detailed police investigation,” he said.
Also commenting on the time taken to identify breaches, James Chappell, CTO and co-founder of Digital Shadows, said organisations should focus on reducing the time to discovery.
“Many breaches and security incidents take months to be discovered – around nine months on average. It is essential that firms take a more proactive approach and adopt measures that enable them to provide a coherent, useful response in these more compressed timescales, while trying to avoid knee-jerk responses that cause more confusion,” he said.
‘Carrot and stick’ approach to breaches
According to Chappell, data breaches and other security incidents are unfortunately inevitable in most modern businesses, and any proposed legislation should recognise this and offer a “carrot and stick” approach.
“Fines alone are not the answer. However, we’re encouraged to see some common sense in this initial proposal, in particular around audits and staff training, which are to be applauded,” he said.
Jonathan Sander, vice-president of product strategy at Lieberman Software, also cautions against relying on fines.
“Often, putting a set price on these risks simply allows organisations to make a calculation about how little they may spend on cyber defence to offset the maximum costs of fines,” he said.
“You see this at work in the regulatory world, where an organisation often decides to simply pay fees for being out of compliance rather than spend what they feel would be more to be in line with the statutes.
“If cyber security simply becomes another set of regulations, then a check box mentality will rule and we will see minimum effort and minimum expenditures. The risk of cyber security must be kept akin to the risk of real world crime, where organisations know that a big heist could be an existential threat to their business and act accordingly.”
CEOs should be involved in cyber security
The committee report recommends that to ensure cyber security receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security.
“The notion of the CEO and board being involved in cyber security is essential. The implications and remedies to cyber security issues often cut across every aspect of an organisation’s operations,” said Sander.
“The bad guys don’t have to wade through politics and bureaucracy to cross those lines, but everyone in an organisation will unless they have immediate and prioritised access to executive backing. When these breaches occur, it’s absolutely required that executives use their powers to ensure response is swift and complete,” he said.
Best practice and public education
Sander also said the comparison of cyber security awareness for the public with smoke alarm testing does not really work.
“Just like the public needs to proactively ensure their smoke alarms are in good shape, they must also be proactively behaving in safe ways online and looking for the signs of a scam as they happen,” he said.
“The message should not simply be about how to handle the wake of incidents, but also about how to avoid both being taken in by scams and how to behave in ways that lessen the impact of breaches when they are out of your control.”
Charles White, founder and CEO of cyber risk specialist IRM, said after many years of issuing best practice advice to improve the cyber security of UK companies, the committee report shows that government is now taking a much firmer hand in getting the attention of executives.
“However, with previous voluntary schemes such as Cyber Essentials largely going unheeded, we need more than reports and suggestions to enact real change,” he said.
“The possibility of their bonuses being hit by poor security performance should be an effective way of keeping cyber threats at front of mind for CEOs throughout the year, not just when a crisis arises.”
Unaware CEOs should ‘pay the price’
Just as with any other major disaster, White believes the “buck should stop at the top” when a major breach occurs, and CEOs who are unaware of their company’s cyber-readiness should be prepared to pay the price.
“Including cyber security performance in annual reports alongside environmental and social reporting will also help to reinforce the perception of cyber as a vital operational matter, rather than some obscure IT issue to be shunted off to one side,” he said.
“However, with the threat of cyber-attack as obvious as it is, a CEO who has presided over a major breach that could have been prevented should consider themselves fortunate if they only forfeit a portion of their bonus, rather than losing their position entirely.
“Just as with major causes of fraud or environmental scandal, I anticipate serious breaches being regarded as a case of resignation in the near future.”
Chief information security officers have frequently lamented a lack of top-level visibility or backing, said AlienVault’s Javvad Malik.
“If CEO compensation was directly linked to the security of a company, this dynamic could change. However, the definition of what constitutes ‘sufficient’ security will remain ambiguous, which makes it tricky,” he said.
Malik recommends that organisations ensure their security investments are defensible, that their security strategy aligns with the business and that they can offer adequate protection for their customers’ data. “Security is not a one-person job. It’s a company-wide initiative that should be treated as such,” he said.