Your cyber intelligence source

Should companies be fined for botched cyber strategy? The case for ‘Ofcyber’…

Is it time Britain ushered in a punitive body for corporate cybersecurity negligence? Chris Allen, director of Criminis Consulting and Training thinks so… 

The world is brimming with regulators. Most global sectors have legions of dedicated and fastidious inspectors. Think Ofgem for energy, Ofsted for education, or Ofcom for education.

But given the rampant escalation of cybercrime, has the time now come for ‘Ofcyber’?

A case in point: a recent report from consultants Azets found glaring holes in Scotland Environment Protection Agency’s (SEPA) response to a cyber attack that resulted in 4,000 files being stolen and posted online on Christmas Eve last year.

In particular, Azets noted SEPA's cyber incident plan was not available offline during the attack.

But, the researchers also found the attackers operated with “significant stealth and malicious sophistication" with a separate Police Scotland review concluding SEPA was “not a poorly protected organisation”.

The SEPA attack, and countless others, raise the question of if – and how – a company’s cybersecurity should be regulated to stop attacks happening with increasing regularity and consequences. 

What would ‘Ofcyber’ do?
This would be an area for discussion and clarification. Firstly, regulators such as Ofsted or Ofcom usually examine what companies do – such as content that received complaints, or a particular piece of learning.

The difference with Ofcyber is the body would likely focus on what companies didn’t do, such as why an attack was targeted at a particular entity, and why it was successful.

What’s the remit?
Then comes the question of remit – which companies should come under the auspices of such an organisation? Should the focus be on start-ups, SMEs, or large corporations? Such stratification could risk omitted business categories being singled out as easier targets for hackers.

Iron fist v soft touch

Another area to consider is consent – should Ofcyber’s ombudsmanship be voluntary or compulsory? 

Voluntary buy-in risks a lack of community participation, but mandatory governance could foster ill feeling that companies are to blame for cybercrime then cajoled into responding.

Costs and consequences
Ofcyber unearthed examples of poor practice and confidently concluded a company was at fault, what punishments should it mete out?

Should the cyber body mimic Ofsted and carry out inspections and provide examples of best practice? And, if so, where do they draw that best practice from?

Money is another obvious sticking point. How do you fund such a body? One option would be to use the proceeds of cyber criminality confiscated by the Proceeds of Crime Act.

Global policing
Another challenge is the international nature of business. For example, the education ombudsman Ofsted works within delineated geographical bounds – it is obvious where a school is located and whether it comes under the regulator’s remit.

But cybercrime often spans multiple jurisdictions. There are multiple factors that could qualify a company to fall under Ofcyber – such as the location of its headquarters, a physical presence in the UK or simply that it does business in Britain.

Ofcyber as a concept has vast potential but the ultimate measure of its hypothetical success would be ensuring it makes businesses more secure and detracts from, rather than promotes, the considerable challenges of maintaining cyber security.

As one experienced IT security expert, who chose to remain anonymous, puts it: “While there are clearly challenges that would need to be addressed in terms of funding, structure and remit, introducing blanket cybersecurity regulation can only be a positive move. If a customer sees that a company has a good Ofcyber rating that will increase their trust in the brand.”

What does the SC Media community think about ‘Ofcyber? We put the case to the experts...

Should companies be fined for botched cyber strategy? 

Richard Starnes, chief cybersecurity strategist, Capgemini

I wouldn’t say companies should necessarily be fined; the Information Commissioners Office is already meting out GDPR fines to a certain extent.

However, I think we could look at smart fining by making sure the fines won’t affect consumers – prices might be hiked to recoup company losses. We have to be smart about how we do this.

If businesses are showing a flagrant disregard for basic cybersecurity practices, fines might be an option.

By disregard, I mean: some companies don’t have CISOs. The board has to take cybersecurity seriously – that’s the where the responsibility lies. Companies need to have risk committees and cyber committees.

However, it’s difficult to dole out blanket punishments. You can’t really do that because each company is unique in its business and its ability to pay. You could put them out of business, so the fines would have to be reasonable. A list of sweeping requirements won’t work.

Some frameworks already exist that offer reasonable cybersecurity for SMEs. While these types of basic risk processes should initially be encouraged, ‘Ofcyber’ would have to define its criteria over time by looking at ICO and overseas cyber regulators.

Saying that, fines alone won’t work. You can’t just say: “Here is the bill, pay up.” The penalty list would also need to come with mandates to fix the problem.

It’s also worth considering that a lot of companies will take the line that the chances of getting caught are slim. We need to work with businesses and the industry to show how their protection can be applied at a reasonable cost

Sam Curry, chief security officer, Cybereason

The answer is no. Cyber is not binary. There are levels of maturity and growing pains to improve cyber. Even with the best of intentions, companies can jump from immaturity to maturity overnight. As with most things, it takes time.

Further, cyber strategy is not a checklist. At heart, all things “cyber” are truly about risk methodologies. Companies should be penalised for not doing the basics: for not elevating the discussion to the boardroom; for not following the right risk processes; for not continuously improving; and for not having a strategy.

It’s also bad to go back after the fact and bayonet the wounded because cyber is about risk trade-offs. If you want no risk, turn everything off. Security should be managed as other forms of business risk, seriously and with urgency; but it’s not an on-off switch.

But is it time for ‘Ofcyber’? The short answer is that it might be.

As with most things, how this is done – and why ­­­– matters a lot. It can be done well, or it can be done very poorly. Most CISOs fight for attention from the business and know what needs doing, but they aren’t elevated sufficiently within the business to get the time, attention and investment needed.

The most important thing that can be done is to take measures that the boardroom has to be involved with cyber governance and auditing. Regulation like this tends to elevate the bar quickly and then no further, and in the case of cyber we are dealing with intelligent and adaptive opponents as opposed to fighting nature and entropy.

This isn’t about adopting a set of controls and then sitting back and watching the dials. Cyber is an active competition.

Frank Morris, managing director, EMEA, Synopsys Software Integrity Group

Is it time for ‘Ofcyber’? There are two streams of thought on this. One could argue that companies are already penalised for bad cyber strategy if the end result is a breach (of either a system or failure to meet a regulation).

Let’s face it, the reason you want a strong cyber strategy is to avoid a negative outcome and the strategy is evidence of an approach to mitigating risk and preparing for unwanted events.

In the event of a breach of a system, companies face the consequences of not being able to meet the needs of their customers during sustained periods of downtime and, inherently, a secondary consequence of damaged reputation and reduced future consumption of their product or service. So, it’s a self-inflicted penalty that few companies would ever want.

Secondly, in terms of breaching a regulatory requirement – typically where it’s essentially the right thing to do to keep you and your data safe – then penalties exist today.

We’ve already started to see the impact of fines and restrictions to operating licences across various industries.

In the UK, there are bodies such as the ICO that have started to issue fines for failing to ensure the security of personal data under GDPR.

In the US, the Securities and Exchange Commission has issued a number of fines to companies for deficient cybersecurity practices.

So the bigger question is: Should companies be penalised more than they are today?

Regulation is difficult. There are always fears that companies will be at the mercy of regulators that follow frameworks that may not be appropriate or even open to interpretation.

With regards to creating an Ombudsman for cyber, opinions vary.

We’ve seen existing regulators for industries start to incorporate cybersecurity into their practices so perhaps that is sufficient.

Indeed, it may be more suitable for each industry to manage the regulations more appropriately aligned to their most common risks.

On the other hand, a pure cyber ombudsman may bring more consistency to approaches and ‘fairness’ to companies. As companies operate on a global basis, bigger questions around competition and fairness come into play.

Sammy Migues, principal scientist, Synopsys Software Integrity Group

There must be a business penalty for not including cybersecurity in corporate strategy and in various IT and product operations. That’s not to say they should be penalised for not doing it perfectly, or even for suffering a breach. That could happen to even the best cybersecurity programmes.

However, failure to plan, failure to include cybersecurity as a key business objective at the board level, failure to take advantage of industry-standard approaches and technologies, failure to make specific roles responsible for specific cybersecurity goals, and failure to instrument business processes to produce cybersecurity telemetry are fundamental failures.

Twenty years ago, many of us expected that the marketplace would punish bad security performers by avoiding their products. We see now that that was a wildly inaccurate prediction. It’s time to help ensure all organisations take cybersecurity seriously.

 Michael Isbitski, technical evangelist, Salt Security

Enforcing cybersecurity on private sector is a bit of a slippery slope. Companies are already incentivised to do the “right” things for security or face penalties from privacy regulations like GDPR or (cardholder) data handling standards like PCI-DSS.

Open Banking is another example for FinTech and FinServ. I don’t feel that an office to enforce cybersecurity regulation would help improve matters.

Many government offices that are required to meet strict cybersecurity requirements fail or perform poorly in their audits. Part of the issue is inherent complexity since cybersecurity includes many technologies and processes in different security domains.

The other challenge with implementing effective cybersecurity is scale, particularly for larger entities public and private.

Read more: 

11 crystal ball cyber predictions for 2022

How to speak to C-Suites about ransomware in a language they understand

Enjoyed this? Sign up for exclusive weekly SC Media insights via our homepage – you'll get the analysis first