Firms do not report security incidents to the Government fearing that the latter would target them, say researchers.
Reporting security incidents to the government may lead to privacy infringement and firms being hounded by the press as a result.
At the Security BSides London conference, industry experts and cyber-security researchers congregated to discuss cyber-security vulnerabilities and the notion of companies working together with the government to fight security incidents.
The opinion of researchers was unanimous. The government hasn’t done its best when it came to soliciting the support of the security research community. Reporting security incidents to the government not only expose companies to regulatory punishments but also lead to privacy infringement and loss of reputation.
“We need to be able to ‘If you see something, say something’ but how can I say something? There’s literally no secure way that I can get this information to the NCSC (National Cyber Security Centre),” said Chris Kubecka, former senior information security staffer at Saudi Aramco.
Large-scale issues like identity theft and data breaches could have been successfully countered had these been reported to the government in time, she said. But the government itself is responsible for the lack of communication as there is no way companies can report incidents to the government without facing privacy infringements.
The General Data Protection Regulations (GDPR) will come into effect in a year from now and will impose steep fines on firms failing to protect customer data from hackers. The fines will go up to either 4% of a company’s annual turnover or €20 million, whichever will be higher. Companies will also be required to report data breach incidents to the government within 72 hours of them occurring.
A number of Banks in the UK are now expressing serious concerns over their ability to adapt to the upcoming legislation in the next twelve months. “Banks are struggling with legacy systems. From our discussions with chief technology officers at banks, they are concerned the technical challenge may be impossible given there is only a year to go,” said Chris McMillan, a partner at consultancy firm Oliver Wyman to FT.
“At some banks, a customer’s data may be held on more than 100 systems, and each of these takes a long time to change, even for a simple change. Sometimes even the simplest changes take months and months. Multiply that by a hundred and it becomes a very complicated task,” he added.
GDPR will require companies and banks to conduct data privacy impact assessments to identify risks and mitigations before engaging in high-risk activities like processing data which may result in identity theft or financial loss. At the same time, each separate data collection activity by an enterprise will require clear affirmative consent from involved parties.
Source: Sky News