The Debate Over Cybersecurity Incident Reporting: Focusing On a Symptom
By Bill Bernard,
In a reaction to 2021’s record number of ransomware and other cybersecurity incidents, governments across the world have recognized their need to be informed about cybersecurity incidents occurring within their sphere of interest. This absolutely makes sense considering that most companies impacted by these events are dependent on government agencies – such as the FBI in the United states – to assist them in resolving the incident, and these agencies need to be able to step back and see the whole forest even while they’re concentrating on particular trees.
In some ways industry has forced governments to take action on this. The number of incidents in the first half of 2022 alone that turned out to have been under-reported by companies is staggering: major ransomware events being disclosed to shareholders as a minor network interruption and hiding the exposure of millions of customer records are just two examples you may be aware of. Recently, governments in the U.S. and in India have updated their reporting rules, and industry leaders are crying foul.
Of course they would. Every CEO, board member, and shareholder is worried about the impact to their company should word get out that they had a significant breach. Interestingly enough however, the past decade shows us that the buying public overall does not change their spending habits based on security events: Target, Home Depot, and others may have felt short-term impact, but have long since recovered. Additionally, companies such as Colonial Pipeline have no consumers to worry about, and are “too big to fail,” to borrow a term from the housing and mortgage crisis of the first decade of this century.
However, they do have a legitimate issue with these new requirements: they need a small army of lawyers just to determine who they must report to, what they must report, and when they must report by. In the U.S. alone, a company may be subject to any and or all of the following requirements:
- Health and Human Services HIPAA related reporting requirements
- Department of Homeland Security CISA reporting requirements
- Securities and Exchange Commission 8-K public disclosure requirements
- Payment Card Industry credit card data loss reporting requirements (they’re not even part of the government!)
- Each state, territory (yes, even Guam!), and Washington D.C. has unique Personally Identifiable Information breach reporting requirements
Add international reporting requirements, such as India’s new requirements and GDPR, and you can see how companies would have an issue just deciphering how to respond – let alone deal with the incident that forced them to report in the first place.
But as significant as this all is, this reporting debate is really a symptom of a larger issue: you can’t report on what you don’t know about, and if you don’t find out about it when it is a small issue, your report will be worse when you do find out about it. To put it another way, most companies can’t identify a wastebasket fire until it spreads to the couch, curtains, and burns down the house. This is readily apparent in Deepwatch’s “State of the Modern SOC” Report. Let’s review some of the key highlights from that report:
- Almost 40% of cybersecurity teams don’t have any 24×7 monitoring capability
- Nearly 100% of cybersecurity professionals feel they need more accurate alerting in order to have good confidence in their monitoring capabilities
- Only 12% of cybersecurity professionals believe their alerting is good enough to respond quickly
If any of these issues hit close to home, this is a perfect time to utilize your board’s concerns over reporting as a springboard for improving your cybersecurity operations program. A fantastic place to start would be by partnering with an industry leading managed detection and response company like Deepwatch, who can jumpstart your detection, response, and reporting capabilities in days, not years. These critical capabilities will reduce the likelihood of having a major event to report an embarrassing breach, risking your organization’s brand and income.
How Deepwatch Can Help
Deepwatch partners with its customers to speed detection and response, providing SOC capabilities and 24/7/365 protection. The Deepwatch SecOps platform leverages security telemetry across data sources to detect complex threats and provide complete real-time response – programmatically, customized to the customer’s environment. Deepwatch security experts work in partnership with the customer’s security team to identify and prioritize which response processes to automate, alleviating the short-term burden of automation in order to achieve the long-term benefit.
As a partner and extension of internal security teams, Deepwatch offers peace of mind and assurance that threats are rapidly and holistically addressed, unlocking a new level of security that supports business outcomes.
To learn more, please visit https://www.deepwatch.com/managed-detection-response/.