We’ve all seen and heard about companies and government departments that have experienced major security and data loss events. Once the event is made public, there is a media frenzy of coverage disclosing answers to questions like: Were your records compromised? How can you protect nonpublic information in the future? What should you do if you are a victim? However, as the media focus moves to another topic, the breach becomes yesterday’s news – and there is very little coverage of what repercussions and penalties those entities that were breached faced – if any.
It’s odd in society today that a global security attack that impacts someone at the personal level, stealing their personal details for re-sale, is forgotten about all too soon. It seems that if a company issues an apology for a hack and promises to make headway into better security, all is forgotten within a few days.
But what ends up happening with the stolen data? Is it not still stolen? Is it not still sold?
In late 2017, Yahoo finally confessed that every single account was exfiltrated back in 2013, however, the demographic and number of users that still rely on Yahoo services is probably still about the same.
Then, there is the Equifax hack, which has reportedly compromised nearly the entirety of the U.S. population’s personal details. This comes directly from a company who’s one job is the keep the public’s personal details protected from just such a hack. Months later, the hack is nothing but a news memory, aside from a multitude of class action lawsuits directly from the public.
Keep in mind, these are only two giant examples that made the news. There are security breaches happening globally on a daily basis. 59% of Asian businesses report a major, downtime-creating security breach once per month. Once. Per. Month.
Cybersecurity currently suffers from a lack of understanding, which leads to a lack of demand for regulation. Consider the impact a targeted attack could have on the health industry, for example. Though most ransomware hackers seem to be getting by on the simple act of blackmailing their victims for nominal sums of money, there are others in the world who are no doubt preparing something much more sinister. The impact an attack could have on human lives is scary to think about, but it’s scarier to realize there are currently minimial regulations and penalties for everyone involved in a hack taking place. Is the company or industry that is hacked to blame? Is is the application developer who’s software was hacked? Is is the IT department who didn’t insist on increased security taking the heat? Is it the business owner who refused to invest into better security due to budget restraints?
There is no reward for security and low (or seemingly no) penalties for insecurity. It has been taken up by the public to sue firms who have allowed their personal information to be leaked or stolen.
Enter the cyber star rating system — dubbed the Cyber Kangaroo in Australia — which would function like an energy star rating, but for the security of devices and organisations. This would allow consumers to understand better who they are leaving their information with and could change the landscape of services that impact health, security, data, business transactions and a whole lot more.
Further details on the system itself, as proposed, can be seen here but their main recommendations include the following:
- Develop cybersecurity standards and certifications, including identification standards that can improve the security of online transactions.
- Implement a bill of user’s rights to help users make informed cybersecurity decisions when purchasing devices.
- Encourage information sharing between government and industry, and within these sectors, to facilitate action against cybersecurity vulnerabilities and exploits.
- Provide financial incentives for improved cybersecurity, such as through programs that incentivize users to replace obsolete and potentially vulnerable devices.
- Direct government funding toward developing effective cybersecurity standards and achieving compliance in an affordable manner.
- Educate consumers, through public awareness campaigns or school curricula, on cyber risk and cybersecurity best practices.
- Develop a system of security labeling, similar to food nutrition labels, to allow consumers to compare technology products side by side.
At ActiveCo, we are consistently keeping abreast of security threats to protect our clients, as well as ourselves. The act of data theft can have a business-ending impact if steps aren’t taken to prepare for that event. If you do not currently have an action plan in place for security, in a world where the threats are getting more widespread, please consider a conversation with us at ActiveCo. We offer a no-obligation consultation that has been said to truly open the eyes of business owners to the threats they didn’t quite understand were there.