Altaz Valani, Research Director, Security Compass
Tech giant, Google, recently warned of significant surges in state-backed cyber hacking activity, highlighting that hacking should still be recognised as a major security threat to all organisations. In fact, Sky News last revealed that in the past three years there has not been a single report of a hacking attempt filed by any British energy firms. This is despite the introduction of a new cyber security law three years ago to obligate electricity and gas companies to do so, and well publicised incidents of successful hacks carried out by criminal groups and hostile states. Clearly, something is not working as it should.
Ofgem, the regulator responsible for receiving reports of hacking attempts, reported that the one British energy company that attempted to file a report was prevented from doing so because the incident didn’t meet the required threshold. While these thresholds may vary from industry to industry, when it comes to reporting to regulators, the wider concern is the impact on promoting a culture of security across an organisation. If companies are not reporting cyberattacks because the regulatory threshold is too high, regulators will have little intel to modify reporting thresholds or establish recommended security practices in the future.
Lack of reporting can hamper security vigilance
When it comes to cybersecurity vigilance, tracking and flagging potential cyberthreats is key to preventing and keeping malicious cyberattacks at bay. Reporting potential cyberattacks and breaches to the necessary regulatory bodies can help spread awareness of such incidents and, as a result, will help other organisations prepare their cybersecurity teams to anticipate and deal with these threats more readily. Reporting knowledge of cyber threats and security vulnerabilities to regulators also enables them to put in place the right guidance for best practices and general cybersecurity governance.
Reporting of cyberattacks may decline if companies do not view the hacking attempts as worthy of reporting because they meet the regulatory thresholds. This is doing more harm than good, and further highlights the challenge facing regulatory bodies and companies when it comes to gathering intel and data on cybersecurity threats from organisations. This unfortunately makes the role of regulators in cybersecurity governance much more difficult than it should be. One key factor that can change how organisations report hacking attempts and other cyber breaches is by enforcing clear regulatory requirements that not only encourage more incidence reporting and data sharing, but also accountability from organisations from top to bottom.
Combining security training with robust regulatory requirements
Regulatory requirements are key drivers for building internal security competencies within organisations. This is due to the inherent business risk tied to breach of compliance, which would include both primary and secondary outcomes. Risk mitigation is typically manifested through the creation and ongoing development of capabilities and internal governance structures that support clear reporting against the regulatory requirements. This leaves little room for any discrepancies or confusion in cyber threat reporting. Much of this work is done with the help of highly qualified consultants and regulatory assessors.
Now if internal organisational capabilities and governance structures trigger a report to regulatory authorities that is subsequently declined, the implication is that it was not a regulatory breach and the organisation is safe. There is, therefore, little business incentive to continue improving security programs despite the fact that a security breach occurred. After all, the current state is actually good enough to produce the required value against a regulatory breach.
Organisations are required to continually develop their internal security capabilities, and it is important that regulators maintain and regularly raise the bar on security requirements in order to instil accountability at the upper echelons of organisations. Claiming too many false positives implies a lack of regulatory clarity on interpreting the rules which can erode the potency of a regulation. That, in turn, could lead to developing less secure products and services over time – the very problem the regulation intended to address.
Another aspect of the internal organisational cybersecurity programs is education and training. It is necessary for organisations to map out security awareness training programs that align with incumbent regulatory requirements. These security training programs help to foster a culture of security vigilance and, at the same time, raise awareness among employees. What’s more, it’s also in accordance with, and is required by, many regulatory standards and laws.
Reporting cybersecurity threats of all kinds is an important aspect of maintaining a robust security infrastructure. This means organisations need to align their own internal reporting thresholds with that of security regulators. This requires strong overall cybersecurity vigilance, much of which will be fostered through internal security training programs that are aligned with regulatory reporting requirements.