While ransomware looks set to be with us for the long haul, data protection legislation could prove an even bigger threat to organisations, says Soteryan’s Salim Neino.
In cybersecurity, the past few years has been about ransomware. While the landscape has changed in the past year with some industry insiders suggesting a 30% reduction in activity, don’t be too quick to write off this style of attack.
If there is a positive that we can take from the rise of ransomware it is that the belief among companies that they are either too small or not interesting enough to be a target, has been pretty much eroded. Cybersecurity is now a board-level issue whatever size you are. If you’re not already doing things to tighten your defences, then you may have a big problem.
However, there is potentially a greater concern. With the arrival of GDPR and the strengthening of legislation in the US, the next big area of threat for companies is going to be the regulations themselves.
How is it possible for legislation to be a threat? While the actual physical attack is one thing, the regulation and having to disclose that you’ve been attacked potentially puts brands at even greater risk. Protecting the brand is the number one concern for most companies, and concerns and focus in this area will change depending on the type of company and the type of data handled. For example, a hotel losing its four-diamond or five-star rating because it had been breached would have a massive impact on it being perceived as a trusted host.
The bottom line is that most companies are not adequately prepared to deal with any kind of breach, but worryingly most of the time the breaches that do occur are the result of
non-sophisticated attacks that could easily have been mitigated against. Legislation will mean that if you have lost data that is important or been breached in a way that could affect consumers or any of your partners, you have to disclose it. This perfect storm means that in the short-term we’re likely to see a lot of damage being done to brand reputations.
Companies will be focussing on thwarting attacks or at least classifying them in ways that mean they don’t have to report them, but they need to ensure things are done right – and that includes the PR and communications element. Brands need to know how to position the fact that a breach was of low impact, or to handle the disclosure if it was a more serious attack.
Organisations are going to have to start to think about how they respond publicly to attacks where they may not have had to do this in the past.
If a company’s PR team gets a call from a newspaper asking what they have to say about a breach, they need to be able to respond fast and in the correct way. Failure to respond is not an option. That’s why this is a real threat to companies. This real possibility of reputational damage for brands as a result of having to disclose breaches is going to make companies think hard about how they handle and prevent attacks.
This is not to say that legislation is running before we can all walk. While there is no silver bullet, the technologies and controls already exist, where the industry is weak is that we don’t have enough resources to implement them. The immediate answer to this is that companies need more subject matter experts to help them show good practice; longer term it means greater investment in cyber security best practice.
Unquestionably, this is going to hurt companies that aren’t adequately prepared, and can’t show a suitable plan of care. However, those that make the required investment now are not only much less likely to have to deal with this sort of fallout, but are also in a much stronger position to come out with their reputations intact if they do suffer a breach.
So it’s time to buckle up and ensure the systems and processes are put in place now before the regulators or the media come knocking.