Once you’ve been hit by a cyber attack, the damage has already been done. There’s no way to make the disruption disappear, so you might suppose it’s best to just get on with things. Reporting the incident to your supervisory authority means extra work and could cause a PR nightmare.
Nonetheless, it’s essential that you notify relevant parties of the breach. The attacker is a criminal, and it’s your duty to report crimes. This is particularly the case if your customers’ personal data has been exposed. Reporting an incident allows individuals to look out for suspicious activity, such as money disappearing from their bank accounts, and enables them to take steps to protect themselves.
Notification also helps other organisations prepare for similar attacks. Criminals often reuse successful techniques, whether it’s a particular scam method or a network vulnerability, and publicly announcing this threat gives organisations time to address the issue. If all organisations do this, you will benefit massively in the long run.
This issue connects to a far bigger problem: no one is truly aware of just how big the threat of cyber crime is. The number of reported incidents has surged in the past few years, but experts suspect there are still a vast number of unreported breaches. If there was more transparency, organisations would realise how important it is to address cyber security. It would also make criminals’ jobs harder. As it is, cyber crime is practically a no-risk venture: whether you succeed or fail, you fly under the radar and almost certainly won’t face any consequences.
Will reporting actually stop criminals?
Organisations might counter these points by noting that very few cyber criminals are identified even when cyber crime is reported. A survey by the UK’s National Crime Agency found that only 38% of respondents are confident that law enforcement responds appropriately to cyber attacks.
This problem is exacerbated by the light punishment that convicted cyber criminals receive. Cyber security journalist Brian Krebs is one of the few people who regularly reports on the prosecution of cyber criminals, and often criticises the leniency of judges. Commenting on one case, he wrote:
[C]ourts around the world continue to send a clear message that young men essentially can do whatever they like when it comes to DDoS [distributed denial-of-service] attacks and that there will be no serious consequences as a result. […]
I would submit that if we don’t have the stomach to put these “talented young hackers” in jail when they’re ultimately found guilty, perhaps we should consider harnessing their skills in less draconian but
still meaningfully punitive ways, such as requiring them to serve several years participating in programs designed to keep other kids from following in their footsteps.
Doing anything less smacks of a disservice to justice, glorifies DDoS as an essentially victimless crime, and serves little deterrent that might otherwise make it less likely that we will see fewer such cases going forward.
It’s therefore clear that breached organisations aren’t the only ones that need to rethink their response to cyber attacks. It requires a coordinated effort from everybody involved to appreciate the magnitude of the problem and how to reduce it. Organisations’ responses should include a detailed breach notification procedure, but it’s just as important to fortify defences and mitigate the threat of attacks.
Prevention is better than the cure
It’s not possible to eradicate cyber security risks, so organisations need to create a layered security system where vulnerabilities can be identified in multiple ways. An organisation’s biggest weakness is often its staff, so awareness training is vital. However, many attacks stem from technical vulnerabilities, so organisations should also conduct regular penetration tests to assess their systems’ security.
Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the organisation’s networks or applications.
A level 1 penetration test provides adequate protection for organisations that want to identify exploitable weaknesses, such as those in the OWASP Top 10. These tests replicate the kinds of low-budget attack that an opportunistic criminal hacker would attempt, and are ideal for small-to-medium-sized organisations or those with no experience of security testing.