Wednesday, May 29, 2024

Vogon Today

Selected News from the Galaxy

StartMag

Total transparency as the best defense against cyber attacks? Report Ft

6 months ago babelfish

Total transparency as the best defense against cyber attacks? Report Ft

Governments have been too slow to insist on sharing information about cyberattacks. The in-depth analysis of the Financial Times

He could be the latest example of a digital poacher turned game warden.

After the AlphV/BlackCat ransomware gang attacked MeridianLink last month, hackers decided that the software company had not complied with the Securities and Exchange Commission's (SEC) new rules for disclosing cyber incidents. They then notified the supervisory authority of this shortcoming, publishing a photo of the form in which the gang highlighted this “worrying problem,” writes the Financial Times .

The hackers, however, were wrong.

The rules, which require companies to post a public notice within four days of identifying a "material" cybersecurity incident, won't take effect until mid-December.

But the move has certainly attracted attention: “To the extent that we've discussed that this rule adds another tool to the hacker's toolbox, that makes it very clear,” says Erez Liebermann, partner at law firm Debevoise & Plimpton. “The SEC has put hackers in the driver's seat.”

WHAT THE NEW REGULATIONS PROVIDE REGARDING CYBER ATTACKS

The new regulations are pushing the limits of what are generally recognized best practices in the cyber community: greater transparency is an important weapon against the onslaught of online criminals. According to EY, the known number of cyberattacks has increased by 75% over the past five years. The $20 billion cost of ransomware attacks in 2021 was 57 times higher than in 2015. According to Cybersecurity Ventures, the $20 billion cost of ransomware attacks in 2021 was 57 times higher than in 2015 and is expected to increase further to $265 billion by 2031.

COMPANIES STILL BEHIND REGARDING IT SECURITY

Despite the surge in criminal activity, many companies still haven't locked their doors and windows, and many boards don't know enough to ask why. Fewer than 70% of Fortune 100 companies list cybersecurity skills in at least one director's bio. Only 16% said risk management includes simulations or testing of incident response. “It completely amazes me that we still don't do the basic things,” says a former US politician. “If companies engage in basic cyber hygiene and have intelligent back-up, they will almost certainly never have a truly bad day.”

SEC RULES IN THE UNITED STATES FOR COMPANIES SUFFERING CYBER ATTACKS

The SEC's rules have sparked concern, including from the US Chamber of Commerce. The four-day threshold for information disclosure is challenging and will need to be applied reasonably: given the uncertainties (and general panic) after becoming aware of a significant breach, information may be partial or frequently changed as it becomes known. that ascertains its extent or severity. Consultants also argue that worrying about ads could distract from containing an incident, and that admitting that a hack is “material” gives an attacker power.

However, the overall impulse is to share information for the good of the system. In the most extreme example, radical transparency and collaboration between the public and private sectors are credited with helping to contain cyberattacks in Ukraine since the outbreak of the war with Russia.

HOW GOVERNMENTS ARE MOVING IN THE WEST

Generally, governments have been too slow to insist on sharing information to build a complete picture of cybercrime and, crucially, to offer companies non-judgmental support to manage attacks or contain the damage. The United States and the European Union have expanded incident reporting requirements to authorities for sectors considered critical infrastructure. Last month Australia proposed extending the equivalent across the entire economy.

In part, disclosure policies may seek to discourage ransomware payments by eliminating the option of writing a check (or handing over some cryptocurrency) and having it all quietly disappear. In the financial services industry, which tends to lead the way, the New York State regulator requires companies to notify and justify extortion payments.

SECRECY DOES NOT HELP

Secrecy, ultimately, cannot help. Ciaran Martin, former head of the UK's National Cyber ​​Security Centre, sees a parallel with European data protection rules: “For all its flaws, the GDPR has removed a very problematic right to hide a problem and this has been a Well". The United States is increasingly using information it receives voluntarily to issue public warnings, as it did last month based on a Boeing report on the Citrix Bleed bug. The SEC rules go a step further in terms of how quickly investors, customers and suppliers will be alerted to a new risk.

INVESTMENTS IN CYBER RESILIENCE ENCOURAGED

At the very least, the need to quickly understand a cyber attack, assess its severity and then agree on a potentially embarrassing disclosure is transforming business planning for how to handle incidents, according to consultants. This should encourage greater focus and investment in resilience, as well as ensuring that cyber concerns are heard and well understood at the top of companies. Which, of course, is as it should be for a long time.

(Excerpt from the foreign press review by Epr Comunicazione)

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/cybersecurity/trasparenza-totale-come-miglior-difesa-contro-gli-attacchi-informatici/ on Fri, 08 Dec 2023 06:40:45 +0000.