How ransomware is changing the regulatory agenda

The world of regulation is notoriously slow, and it typically takes years of proposals, reviews and revisions before new regulations finally become law. That makes sense: when it comes to laws that can affect millions of people and change aspects of our lives, the highest level of oversight is essential.

However, this approach is being challenged by the relentless pace of evolving cyber threats. With cybercriminal groups constantly refining their attacks to maximize returns and inflict greater damage, governments are under pressure to respond and drive change with new frameworks and guidelines that force organizations to implement higher security standards.

Regulation plays an influential role in shaping security strategies and raising the bar for security. Given the scale and cost of disruption they cause, ransomware attacks are of particular concern to authorities around the world. Laws that govern how organizations protect against, respond to, and report ransomware attacks are intended to strengthen our national cyber defenses and deter attackers.

This is to be welcomed, but change takes time and compliance is not an end in itself. Organisations should also take matters into their own hands to stay ahead of the curve when it comes to proactively mitigating threats rather than waiting until they meet the mandatory minimum.

Doctor Darren William

CEO and Founder of BlackFog.

The changing regulatory landscape

Towards the end of last year, ransomware was presented as a national threat in a UK government report, with a claim that there was a high risk of a “catastrophic” attack. Given the scale of the threat we now face, the government announced proposals in May around mandatory ransomware reporting and a potential licensing agreement before victims pay a ransom.

With ransomware attacks now a matter of national security, threats against critical infrastructure often elicit the fastest government responses. For example, following the Colonial Pipeline ransomware attack, the U.S. government issued guidance requiring stricter security requirements for pipeline operators, setting a precedent for other industries.

The disruption caused by encrypted systems is only part of the story. Attackers are focused on stealing data, and millions of people are at risk of having their personal information bought and sold by criminal gangs on the dark web.

That’s why recent regulations have put a greater focus on data protection. The most recent proposed American Privacy Rights Act (APRA) focuses on data breach notifications, consumer rights, and strong enforcement mechanisms. APRA aims to unify disparate state laws into a comprehensive federal standard, which will have a significant impact on how businesses handle and protect data.

APRA is proposing a range of consumer data privacy controls similar to those in the GDPR, coupled with stricter responsibilities for businesses to keep data secure. These include requirements around identifying vulnerabilities, testing systems and improving employee training on security protocols.

As the stakes rise for companies that fail to adequately protect their systems and data, the regulatory change also puts the spotlight on the actions of senior executives. This focus on individual responsibility and accountability is a growing trend, with CISOs and other top decision makers facing the threat of personal liability in the event of serious breaches. The SEC’s new stance on security disclosure requires incidents to be reported within four days and places the onus on CISOs to ensure that happens. In a landmark case, the SEC charged the CISO of SolarWinds with fraud and internal control lapses in connection with the company’s notorious software supply chain breach.

Collaboration is the key to effective regulation

UK executives may view this development with concern, and the global nature of security trends means we need to pay attention to major regulatory changes on both sides of the Atlantic. The common denominator is that to be effective, regulation must be realistic and achievable for businesses to implement. Governments and regulators can create more effective regulation by working with industry experts to understand practical constraints and opportunities. Simplifying compliance processes and providing clear, actionable guidance can help ensure that regulation enhances security rather than hinders it.

To achieve this, consultation with industry experts is essential when drafting cybersecurity regulations. Regulations are more likely to be enforced if they are based on practical insights from industry professionals. Collaboration with security professionals also ensures that policies are not only enforceable, but also effective in addressing current threats.

Collaboration across sectors is equally important, ensuring that best practices and innovative solutions are shared between decision makers in different disciplines, and between the public and private sectors. This is especially important as threat groups use the same tactics across multiple sectors. By working together, governments and industries can prioritize data protection and increase resilience to disruptive attacks.

Strategies to increase resilience

Companies should carefully assess their data security measures against government and industry regulations. However, compliance should be seen as the minimum standard, not the ultimate goal.

They should actively pursue strategies to increase resilience, rather than waiting for regulations to mandate it. This includes implementing multi-factor authentication (MFA), conducting regular security audits to identify weaknesses, and deploying capabilities to identify malicious behavior and prevent data exfiltration. Training employees in cybersecurity best practices is also critical.

Since attackers are looking to intercept data, monitoring outbound traffic is one of the most important aspects of any cybersecurity strategy. This can stop data theft before it leaves the system.

However, we often see that enterprises are so concerned with monitoring signals of incoming external threats that they miss what is going out. And because they do not have effective monitoring, they do not know enough to know whether they have a problem with data exfiltration in the first place.

It’s similar to what we saw at the height of the COVID pandemic, when countries were saying they had low infection rates because they weren’t actively testing. There are a lot of companies that are confident in their strategies because they’re not looking in the right places to realize that they might have a problem.

By preventing systems from being compromised through strict access controls and preventing sensitive data from leaving the network through measures such as anti-data exfiltration (ADX), organizations can avoid being forced to negotiate with attackers or having their data exposed to the dark web. Meanwhile, threat groups will look for easier, less prepared targets.

As governments and regulators around the world place greater emphasis on reporting processes and data protection, organizations must prepare to meet increased compliance needs in the near future. Prioritizing visibility and control over system access and critical data will reduce the impact of disruptive attacks and prepare businesses to meet regulatory demands as lawmakers take more action to strengthen our collective defenses.

We’ve highlighted the best endpoint security software.

This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro