- The development of a set of cybersecurity standards could go a long way in arming companies with more options when it comes to breaches.
- Without these standards companies are less likely to reveal they've been breached or have paid ransomware.
- Cyber attackers are taking advantage of failures in fundamentals.
The development of a set of cybersecurity standards — similar to the generally accepted accounting principles that businesses use for financial information — could go a long way in arming companies with more options when it comes to cybersecurity breaches and make them more likely to report when these events happen, cybersecurity experts say.
The explosion in the number of ransomware attacks in recent months is highlighting the fact that the U.S. still doesn't have "standards of what good cybersecurity looks like," says Michael Daniel, president and CEO of the Cyber Threat Alliance and a former cybersecurity coordinator on the National Security Council Staff under President Obama.
"In accounting we have GAAP, which is a body of work built up so that when you're looking at a company's books and numbers, you know what they mean," Daniel says. Similarly, in the physical world, there are standard, expected security protocols that are fairly universal. A business will routinely install cameras, a fence, and locks on the gates at a plant, manufacturing facility or distribution center.
"We do not have similar standards in cybersecurity," he says.
Among the reasons: complex technology, a plethora of companies pitching their solutions, and the ever-changing nature of the threats themselves. As a result, "it's difficult to know how much a company is liable for, or what someone else says they're liable for, or, if they're in a regulated business, what the regulators say you're liable for," he adds. Without these guideposts, many companies are less likely to reveal they've been breached or have paid ransomware.
The recent cyberattacks against Colonial Pipeline, SolarWinds and meat supplier JBS have added a sense of urgency in dealing with these threats and what they are costing companies. After its breach, Colonial reported that it paid a $5 million ransom to the hackers, but U.S. law enforcement officials were able to recover $2.3 million of that earlier this week.
On Wednesday, JBS said it paid the ransomware hackers who breached its computer networks about $11 million. Sen. Mark Warner, D-Va., is preparing a bipartisan bill that would require some businesses to report cyber incidents to the government so law enforcement can quickly get involved. During an Axios event about cybersecurity, where he previewed the bill, he said he expects it to be introduced in the next few weeks and believes broad support can help it pass quickly.
The creation of more explicit cybersecurity standards may have taken a step forward last week when the Biden administration urged corporate executives and other business leaders to get better prepared for these attacks. In a memo from Anne Neuberger, deputy national security advisor for cyber and emerging technology, businesses were warned that "the threats are serious and they are increasing."
Ransomware attacks involve malware that encrypts files on a device or a company's network that results in the system becoming inoperable. The criminals behind these cyberattacks typically demand a ransom — often in bitcoin or some other cryptocurrency — in exchange for the data being returned.
The White House memo outlined best practices for safeguarding against ransomware attacks including backing up data, systems images, and configurations, regular testing, and network segmentation. This last practice is particularly key for large enterprises, say Daniel.
"If a company has done proper segmentation, every time the bad guys try to cross a segment you get the opportunity to detect them before they can trigger the malware," he says. "By employing this practice you make yourself more resilient against having a successful ransomware attack launched against you, and if you do have one you're usually able to mitigate the damage and recover much more quickly. This is what gives companies a lot more options than believing they have to pay the ransomware."
This emphasis on cybersecurity fundamentals is the right approach, says Jamil Farshchi, chief information security officer for Equifax and a member of CNBC's Technology Executive Council. He joined Equifax after it revealed that hackers had stolen the personal information of 147 million Americans from its servers. "In most of the attacks we're seeing today, cyber attackers are taking advantage of failures in fundamentals," he says. "Unfortunately, the reality is that few companies have made the level of investment needed to combat today's cyber threats."
All of which makes the need for cyber standards even more vital, says Daniel. Beyond the public/private partnership that is now growing, he says further help for creating these standards may be coming from the insurance industry. For years, cyber insurance has been held out as a great hope for cybersecurity, but has yet to produce the results people were expecting. Because it's such a young segment of the insurance market, premiums have been aligned more with what the market would bear rather than underlying actuarial data, Daniel says.
That's beginning to change. Typically, insurance companies deal with an organization's risk manager or CFO when discussing cyber insurance, explains Michael Phillips, chief claims officer at cyber insurance firm Resilience. With the uptick in the number and severity of cyber breaches, insurance companies are beginning to realize they need to get technology leadership involved in the conversations as well.
"If you look back, the insurance products that the industry was designing and selling to the risk manager were not always lining up with, or incentivizing, good security practices at the client company," he says. "I think we're starting to see that change now."
Perhaps the biggest shift that needs to take place is how companies view cybersecurity. Organizations manage all kinds of risk everyday including supply chain, litigation and even weather. The more sophisticated companies are starting to think of cybersecurity not as a problem to be solved, says Daniel, but rather as a risk to be managed. A set of clear standards of what good cybersecurity looks like would go a long way in helping to make that shift.
"For some risk you employ technology, for some you buy insurance," he says. "The point is that a company is actively managing the risk, not just hoping that something bad doesn't happen to them."