BUSINESS CRITICAL

March 22, 2022

When you're hacked, you can't keep quiet anymore

If you try to hide that your business has been hacked or you've paid ransomware, the Cybersecurity and Infrastructure Security Agency would like a word.

Sure, you were always supposed to report cybercrimes to the FBI's Internet Crime Complaint Center (IC3), your nearest FBI field office, or report it at FBI Tips.

But how many of you really did that?

According to the Department of Justice (DoJ), only one in seven victims of cybercrime fess up to having been hit. I'm surprised that even that many will reveal they've been successfully attacked.

No one likes admitting they've made a major mistake. That's especially true when your customers might take one look at the news of your security blunder — and take their business to your rival.

CONTENT FROM OUR SPONSOR

Next-level Observability for DevOps

It's time for traditional monitoring tools to face the music. They've been outpaced—both by the growth of applications and observability data. Coralogix is changing the observability game with an in-stream data analytics pipeline that offers an advanced approach to accelerate and improve DevOps, thus providing deeper insights and permitting faster troubleshooting. Learn more. Read more

Another reason is that the vast majority of successful attacks come not from being targeted by an elite team of hackers but from employee ignorance and negligence. There's a reason I keep writing about how to avoid being phished. Unfortunately, it still happens all the time. Simple e-mail phishing tricks to get you to click on a link or open a file are still one of the top ways an attacker makes it into your systems.

The other big reason companies get hacked: someone inside maliciously — or stupidly, it's sometimes hard to tell the difference — opens the door to an attacker. In either case, no one inside a company wants to admit to those kinds of "fire me now" mistakes.

Well, the days when you could just do your best to fix the blunder and then pretend it never happened are ending.

While the exact regulations are yet to be written, going forward, the Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) will demand you keep them in the loop when your security goes awry.

If your business is in one of 16 critical infrastructure sectors, you'll need to let the CISA know when you've been successfully attacked. For clarity, the new law requires you to report hacks within 72 hours of discovering an incident and 24 hours if you make a ransomware payment.

Before you hyperventilate, take a deep breath.

It may be the law of the land, but the regulations that turn that law into something you must comply with haven't been written yet. According to the major international law firm Holland & Knight, "The new cyber reporting obligations will not become effective until CISA promulgates rules to define the entities within the critical infrastructure sectors that will be impacted by this law and the types of substantial cyber incidents it covers."

The CISA has two years to write up the regulations and then 18 months until they become final. Making laws and regulations is a long, tedious process.

In addition, not everyone in the government is keen on this new law. In what appears to be a classic governmental turf war, the Justice Department and FBI don't care for it one little bit. FBI Director Christopher Wray thinks it "has some serious flaws" and "would make the public less safe from cyber threats" because it sidelines the FBI in favor of the CISA.

Be that as it may, some kind of legal insistence that businesses actually report and track break-ins and ransomware attacks is coming. Get ready.

And — just a thought — how about taking better care of your security today, so you don't need to worry about explaining why you didn't report a significant incident when the day comes.

Hacked US companies to face new reporting requirements

Companies critical to U.S. national interests will have to report when they're hacked or they pay ransomware. Read more.

US secret service -- preparing for a cyber incident

Cyber incidents and data breaches continue to proliferate globally, targeting organizations across all industries and sectors. Read more.

How common are ransomware attacks? Lawmakers want to find out.

After his local library had to shut down because of a ransomware attack, Indiana state Rep. Mike Karickhoff realized the state didn't know much about the frequency of such security breaches. Read more.

Fact sheet: ransomware and HIPAA

A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015). Read more.

CISA: report ransomware

Every ransomware incident should be reported to the U.S. government. Victims of ransomware incidents can report their incident to the FBI, CISA, or the U.S. Secret Service. A victim only needs to report their incident once to ensure that all the other agencies are notified. Read more.

About the Author
Steven J. Vaughan-Nichols, aka sjvn, has been writing about the intersection of business and technology for over 30 years. He continues to scoop up awards for his valuable insights and practical guidance in highly technical publications, business & technology magazines, and mainstream newspapers.