Should companies be fined for botched cyber strategy? The case for ‘Ofcyber’…
Is it time Britain ushered in a punitive body for corporate cybersecurity negligence? Chris Allen, director of Criminis Consulting and Training thinks so…
The world is brimming with regulators. Most global sectors have legions of dedicated and fastidious inspectors. Think Ofgem for energy, Ofsted for education, or Ofcom for education.
But given the rampant escalation of cybercrime, has the time now come for ‘Ofcyber’?
A case in point: a recent report from consultants Azets found glaring holes in Scotland Environment Protection Agency’s (SEPA) response to a cyber attack that resulted in 4,000 files being stolen and posted online on Christmas Eve last year.
In particular, Azets noted SEPA's cyber incident plan was not available offline during the attack.
But, the researchers also found the attackers operated with “significant stealth and malicious sophistication" with a separate Police Scotland review concluding SEPA was “not a poorly protected organisation”.
The SEPA attack, and countless others, raise the question of if – and how – a company’s cybersecurity should be regulated to stop attacks happening with increasing regularity and consequences.
What would ‘Ofcyber’ do?
This would be an area for discussion and clarification. Firstly, regulators such as Ofsted or Ofcom usually examine what companies do – such as content that received complaints, or a particular piece of learning.
The difference with Ofcyber is the body would likely focus on what companies didn’t do, such as why an attack was targeted at a particular entity, and why it was successful.
What’s the remit?
Then comes the question of remit – which companies should come under the auspices of such an organisation? Should the focus be on start-ups, SMEs, or large corporations? Such stratification could risk omitted business categories being singled out as easier targets for hackers.
Iron fist v soft touch
Another area to consider is consent – should Ofcyber’s ombudsmanship be voluntary or compulsory?
Voluntary buy-in risks a lack of community participation, but mandatory governance could foster ill feeling that companies are to blame for cybercrime then cajoled into responding.
Costs and consequences
Ofcyber unearthed examples of poor practice and confidently concluded a company was at fault, what punishments should it mete out?
Should the cyber body mimic Ofsted and carry out inspections and provide examples of best practice? And, if so, where do they draw that best practice from?
Money is another obvious sticking point. How do you fund such a body? One option would be to use the proceeds of cyber criminality confiscated by the Proceeds of Crime Act.
Another challenge is the international nature of business. For example, the education ombudsman Ofsted works within delineated geographical bounds – it is obvious where a school is located and whether it comes under the regulator’s remit.
But cybercrime often spans multiple jurisdictions. There are multiple factors that could qualify a company to fall under Ofcyber – such as the location of its headquarters, a physical presence in the UK or simply that it does business in Britain.
Ofcyber as a concept has vast potential but the ultimate measure of its hypothetical success would be ensuring it makes businesses more secure and detracts from, rather than promotes, the considerable challenges of maintaining cyber security.
As one experienced IT security expert, who chose to remain anonymous, puts it: “While there are clearly challenges that would need to be addressed in terms of funding, structure and remit, introducing blanket cybersecurity regulation can only be a positive move. If a customer sees that a company has a good Ofcyber rating that will increase their trust in the brand.”
What does the SC Media community think about ‘Ofcyber? We put the case to the experts...
Should companies be fined for botched cyber strategy?
Richard Starnes, chief cybersecurity strategist, CapgeminiTo access please sign in.