Last year’s SolarWinds cyberattack was one of the most widespread and devastating in recent history. The malware injections perpetrated by Russian hackers were borne on the back of routine software updates and may have impacted up to 18,000 customer organisations.
True impact of breach remains unknown
First discovered in December 2020, early estimates suggested upwards of 50 million records may have been stolen. The true scale and nature of the breach would be difficult to assess as the US State Department, the Department of Homeland Security and even the Pentagon were among those networks compromised by the Trojan Horse.
By the end of February 2021, the picture was no clearer. There were confirmed breaches at nine federal agencies and around 100 private companies, but the expectation remained that this number would continue to grow.
One of the greatest challenges to accurately assessing the impact of the breach was a lack of transparency and legislation governing breach notifications. This left government and cybersecurity professionals with more questions than answers. What constitutes personally identifiable data? What constitutes a breach? Who needs to report a breach, by when and to whom?
Disparate legislation causes confusion
Since California first introduced mandatory breach notifications in 2002, the rest of the US states and territories began to introduce their own regulations. However, there were wide discrepancies in terms of what data was covered, what types of breach required notification and how notice needed to be given. In 2012 the Obama administration tried, but ultimately failed to introduce a nationwide set of rules to govern breach notification across the whole of the US.
More recently, despite support from both sides of the aisle, a House version of the Pentagon’s 2021 fiscal policy bill calling for the creation of a cyber incident reporting program failed to make it past the Senate. The SolarWinds hack renewed bipartisan interest in the principle of mandatory breach notifications, provided any scheme would include an element of liability protection for the breached organisation.
Without transparency, cybersecurity professionals and lawmakers are forced to operate in the dark. Formulating effective legislation when there is a lack of accurate source data is likely to cause further delay and expose citizens to further, unnecessary risk.
Industry requires more stick and less carrot
Without strong legislation, including financial penalties for negligent or repeat offenders, it may remain difficult to affect a meaningful change in behaviour. The overall cost of a data breach has remained around $3.8million for the past 5 years. For multi-billion-dollar corporations this is a drop in the ocean and may not represent enough of a financial incentive to ‘fix’ the problem.
On the other hand, the EU’s GDPR (universally regarded by cybersecurity professionals as the gold standard of cybersecurity regulations) has some sting in its tail. One of the most notable clauses in the GDPR is the power for regulatory authorities to levy fines of up to $25million, or 4% of annual global turnover, whichever is greater.
For the biggest companies in Europe, this could potentially expose them to hundreds of millions of dollars in penalties and has definitely focussed the minds of board level executives and cybersecurity professionals alike. To date, we haven’t seen anything on this scale, but Google, H&M, British Airways and Marriott Hotels have all been on the receiving end of $20million+ fines.
What does a non-qualifying breach look like?
Most breaches of personally identifiable or sensitive data qualify for notification on the grounds of a breach of confidentiality, availability or integrity of data that materially impacts the rights or freedoms of the individuals affected by the breach. However, not all breaches require mandatory notification.
Notably, if the breach involves encrypted data, it doesn’t automatically become a qualifying breach. Given this, it is surprising that encryption has not become the default security stance. Whilst adoption rates are on the rise, figures published in 2020 show that many industries are still behind the curve. Internet services and back-up facilities have embraced encryption, with the majority of companies having deployed it across some, if not all of their systems. The biggest concern comes from cloud, big data and IoT platforms or devices. Within these sectors, encryption is still the exception rather than the rule.
Adopting an enterprise-wide security stance
The volume and variety of malware attacks launched by ‘bad actors’ continues to pose a threat to any digital enterprise. PDFs and office files are a popular vehicle for malware and the increase in remote working and collaboration experienced over the past year has broadened the landscape significantly.
Seemingly innocent documents, spreadsheets and other attachments could be hiding undisclosed or zero-day threats that, once within an organisation, can wreak havoc. IT security teams have been placed under increasing pressure as the number of devices and locations that need to be secured have increased exponentially.
The ‘good guys’ are often operating off the back foot when it comes to the battle with cybercriminals; having to rely upon a published list of threats that can retrospectively be defended against. However, next generation malware solutions like Votiro can provide proactive protection against undisclosed attacks and are beginning to shift the balance.
With many businesses looking to retain a greater degree of remote working, even as restrictions are lifted, a distributed workforce is likely to become standard practice. An increased demand for collaboration solutions has resulted in an increased use of public file-sharing applications like Box, Dropbox, Google Drive etc. However, all of these solutions have suffered their own breaches in recent years.
Applying the principle of “encrypt everything” to file-sharing and collaboration provides additional peace of mind that, should a breach occur, the data is rendered useless in the hands of unauthorised users. Built on security first principles, SureDrop offers all the convenience of a public file-sharing application with the benefit of best-in-class encryption, additional file fragmentation security and integration with Votiro Secure File Gateway for enterprise-wide security.