The impact of mandatory breach notifications on UK plc
What do the latest EU plans mean for the UK and will it make the European enterprise a safer place?
The argument being that the enterprise will learn from any mistakes post-breach regardless of whether the public are aware of that breach or not. My response was that if the media does discover a 'hidden breach' and there is every chance that it would, then the reputational damage would be far worse than just adopting a transparent attitude and admitting the fact up front. As for the impact upon practical data security implementation, surely logic dictates that if you know that a breach must be disclosed you will not only be more vigilant to prevent it (and that translates to being more likely to allocate sufficient budget in times of recession) but more responsive to change following any incident.
I'm therefore 100 per cent behind Brewer when he says that "no organisation should wait for new legislation to obligate them into maintaining a transparent IT security strategy" as you might imagine.
Not everyone within the IT security industry is so supportive of the new EU proposal. A good example here would be Jarno Limnell, director of cyber security at Stonesoft who puts forward an argument that increasing the regulatory and legal requirement isn't necessarily the best way to mitigate risk. "The rules proposed by the European Union reflect the misunderstanding that currently prevails in Europe, namely that everything, in this case cyber threats, can be solved by creating more statutes, directives and restrictions," Limnell insists.
"This is neither the right nor the most efficient way to improve European cyber security," he adds. What Limnell suggests as an alternative, is for another of the EU proposals to take centre stage, namely that every European state has its own CERT.
"What is needed is for each European country to have an authoritative cyber agency, such as CERT, with very skilled personnel, who take cyber security threats and challenges seriously," Limnell says.
He adds that from a constitutional perspective the same agency should become both investigative and punitive in its role. I don't disagree on the CERT issue. Indeed, collaboration and information -sharing is key to fighting cyber crime as anyone involved with law enforcement or security research will readily admit. Limnell's argument is that breach reporting can be done discreetly, in private if you like, with all the necessary data being shared between the various national CERTs and the end result will be the same: improved security and an improved chance of catching the bad guys.
This is where we must agree to differ I fear, as suggesting that by making a company feel 'safe' that it's brand will not be damaged by disclosure will be more encouragement for it to come forward than the risk of a big fine and ultimate public disclosure anyway (assuming that some kind of annual security auditing was required to regulate the process in the first place) makes little sense to me.
Yes, there has to be situational awareness regarding the cyber threat, but I'm not convinced that this will only come if reporting remains private. After all, ask yourself this: how many companies are volunteering their breach data to the authorities today?
Pan-European regulation seems to be the only way forward. This would put all countries and all companies on an even footing and provide an opportunity for more secure business practises across the board. Cyber crime doesn't recognise borders so why should cyber crime regulation? Importantly, and I really do think this is the overriding factor here, enterprises will be seen to be putting their houses in order and that equates to increased consumer trust.
Ultimately, data security is not just an IT issue but an integral business concern that should be at the very heart of every organisation with full board-level support. The proposed pan-European mandatory breach notifications, along with the requirement to share information between nation state CERTs, seems best placed to ensure this becomes the case.