Cybersecurity breaches are becoming increasingly common and devastating, with cybercriminals targeting organizations of all sizes and industries.
When a cyber-breach occurs, it can be tempting to keep quiet about it, either to avoid negative publicity or to protect the organization’s reputation. However, this can be a dangerous approach that can lead to even greater damage.
In this blog post, we explore the importance of cyber breach incident reporting and why it is critical to share information about security incidents.
Table of Contents
To report or Not to report
Considering that nearly half of domestic abuse incidents in the US and 70% in Canada go unreported, perhaps it is less shocking to discover that nearly that level of cyber breaches remains confidential in the US. According to a survey released in early April this year, 71% of IT professionals say they were instructed by their bosses to maintain their silence. A third fulfilled these wishes, despite placing themselves and their companies in serious risk of fines and other penalties. In the case of former Uber CEO Joe Sullivan, the felony is expected to result in a prison sentence of up to eight years!
Additionally, the new White House Cybersecurity Strategy now places additional onus on companies to take “reasonable and cost-effective steps” to mitigate risks; and that includes reporting. In Europe, ten states specify prison terms for not reporting a breach.
Reporting the incident may prove embarrassing to company management vis-à-vis their stake-holders, who require perfection and the highest possible ROI. And then, there are private networks of IR pros where reporting may be less embarrassing, but also subject to a prisoner’s dilemma: will others report to the same extent, or merely reap the benefits without placing their own organization in jeopardy.
And this dilemna is compounded by the fact that, even if one trusts the nature of the IT pro to understand the nature of the threat, that person is employed by CEOs who only see the reporting process’ downside: the good of their shareholders. The waters of cooperation consequently become murkier—am I just reporting or also benefiting from the reports of others?
Mary Pratt in CSO numerates several industry-aligned non-profits who run information sharing and reporting networks, roundtables, and conferences—ISACs (Information Sharing Analysis Centers), InfraGuard—a partnership between the FBI and the private sector, the Netherlands-based National Cyber Security Center, and more—a “whisper network”, aptly named by Forrester Research’s Jeff Pollard, due to the enclosed environment that enables reporting incidents without divulging company secrets. Other networks relate to incidents that have not yet led to company losses and do not always need to be reported to the authority. Here, breaches can be monitored without raising an alarm which could also alert the hacker.
Private network reporting, however, remains sectorial: networks tend to include IT professionals from related fields, leaving unrelated companies uninformed and susceptible to repeat offenders. Compounding this limitation is the fact that there is no single data repository.
Protecting the messenger
Unfortunately, once an IT manager decides to “do the right thing”, the process of actually reporting the breach is not made easy by the authorities, according to Robert Lemos in Dark Reading. In the US, the reporting company will have to comply with the separate requirements of 50 different state, federal, and industry authorities; and if the company also operates in Europe, the requirements of the EU’s GDPR often clash with those of the US. According to Lemos, incidentally, the level of misreporting in Europe is much lower—35% in Germany, 44% in the UK.
Of course, there are risks associated with cyber breach incident reporting that—according to some CEOs—may be justify sitting in a cell. The publicity surrounding a breach can be damaging to an organization’s reputation, and there is always the risk of legal action being taken against the reporting organization for breach of privacy. However, these risks need to be weighed against the potential benefits of reporting the incident. In most cases, the benefits of sharing information about the breach far outweigh the risks.
According to Pratt, only 20% of Hive victims had reported the cybergang’s attacks before closed down by the FBI early this year. FBI Director Christopher Wray even found it necessary to thank those that had reported for helping bring Hive to justice.
On the other hand, April began with some important good news: Google, Intel,bug-bounty firms HackerOne, Luta Security, and BugCrowd, and the Venable cybersec specialized law firm announced a new alliance to create a reporting policy council controlling a fund protecting reporters from legal action. According to SC Magazine’s Derek Johnson, although Google will provide the fund’s seed money, it would be managed as a separate non-profit, providing funds to victims of legal proceedings initiated as a consequence of their reporting a security breach. Incidentally, the Computer Fraud and Abuse Act is meant to prevent the prosecution of reporting “in good faith”.
Following Australia’s lead of nearly half a decade ago, new legislation (the Cyber Incident Reporting for Critical Infrastructure Act CIRCIA) last year requires critical infrastructure companies and agencies to report ransomware and other incidents within a specific time-frame to CISA (the Federal Cybersecurity and Infrastructure Security Agency).
However, companies must be incentivized to report. Authorities must clarify that reporting is for future reference—to assist in prevention, rather than punitive purposes. If the reporting process is to protection, reporters must themselves be protected. Once again, the recent update to the White House’s cybersec policy specifies this and even creates the basis for a protections framework.
Doing the right thing
One of the key reasons to report a cyber breach is to help prevent similar incidents from occurring in the future. By sharing information about the breach, other organizations can learn from the incident and take steps to improve their own security posture. This information can include details about the attack, such as the tactics, techniques, and procedures (TTPs) used by the attackers, as well as the vulnerabilities that were exploited.
Besides preventing future incidents, reporting can also help organizations respond more effectively to the breach itself. But, perhaps most importantly, cyber breach incident reporting can help to build trust and transparency between organizations and their stakeholders. It may even topple the walls of distrust between customers, investors, and other stakeholders, who are more likely to continue to do business with an organization that takes its security responsibilities seriously.
Finally, though, and to an increasing extent: it’s the law! Reporting a cyber breach is to comply with legal and regulatory requirements. Failure to comply with these regulations can result in significant fines and penalties. Reporting the incident helps the organization demonstrate that it has taken appropriate measures to protect sensitive data, which can be critical in the event of a legal dispute.
State of the Report
In conclusion, cyber breach incident reporting is a critical aspect of cybersecurity that should not be overlooked. By sharing information about security incidents, organizations can help prevent future breaches, respond more effectively to incidents, comply with legal and regulatory requirements, and build trust with their stakeholders. While there are risks associated with reporting a breach, these risks need to be weighed against the potential benefits. In the end, it is better to be open and transparent about a breach than to try to sweep it under the rug and hope for the best.