BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Frequent Breaches Have Brought Cybersecurity Change To The Forefront. What's Next?

Forbes Technology Council
POST WRITTEN BY
Casey Ellis

Over the last 20 years, the cybersecurity industry has often said each breach is going to be the wake up call the industry needs. It’s happened so many times that it’s practically a running joke. But now, things are starting to change — with the extent that these breaches are now impacting consumers, it seems the wake-up call is gaining groundswell. The Marriott and Equifax breaches were both game-changers that I believe will act as catalysts for a real shift in the cybersecurity landscape.

At a recent hearing of the Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations, Senator Rob Portman highlighted the value of “using white-hat hackers” to “ensure criminals are no longer taking advantage of us as consumers.” As the co-founder of a company that offers white-hat hacking, I've seen that the sentiment around hackers has changed drastically in the last few years. When a Senate hearing about massive data breaches starts with how hackers can help, it’s clear we’ve crossed the chasm.

It’s clear we need to do more to prevent these types of attacks. And the recent hearing made it abundantly clear that the government has not only taken notice, but that they’re also looking for a solution. Like most solutions, we must first identify the cause. The Senate report claims Equifax neglected cybersecurity for years — and blames the company’s “poor cybersecurity practices” for the breach that reportedly impacted 143 million users.

The sobering thing about this is just how common it is. Equifax stands out as an example of the moment, but they are not alone — Marriott and British Airways were just a couple of the top 21 in 2018 identified by Business Insider. In cybersecurity, I've found that 99% of getting ahead of everyone else is just remembering to do basic things right. Sometimes these are the most difficult things to do. It’s unfortunate that the “brand new” lesson learned here is something we’ve been talking about as an industry for about 20 years, but that’s the reality. So the question is: How do we as an industry support security teams and help organizations understand the importance of prioritizing basic things like patching?

Legislation And Cross-Organizational Sharing Are Key

Communication and sharing are key here. Equifax CEO Berger echoed this in the hearing when he told the subcommittee that he supported actively sharing best practices between organizations. 

I'm already seeing signs of change, with security becoming a board-level discussion and shareholders demanding answers on what these companies are doing to keep data secure. The Senate hearing is a great example of this.

But it's not just up to individual organizations. The kind of sweeping change we need requires discussion at all levels, including governmental organizations. In California, a new bill stemming from the Marriott breach would make California's already strong data breach notification laws even more robust. This was echoed by Senator Tom Carper in the hearing when he said it was "long past time" for Congress to come to an agreement on federal data security, privacy and breach notification laws.

The Changing Security Climate Calls For New Strategies

The trend that excites me most is that we’re also seeing accountability from the ground up. Consumer fears around privacy and identity theft (like those highlighted by PwC) have necessitated security marketing. While it's still relatively new for consumers to change the way they spend money based on security, I believe this will grow in popularity as a concerned population looks for ways to modify their behavior to reduce their personal risk. Times are changing — it’s no longer a stretch to think consumers will change buying habits based on security. 

Avoiding what happened with Equifax is the goal of every company. Yet, one study by Sonatype (via Fortune) found that 57% of the Fortune Global 100 had downloaded vulnerable versions of the software targeted for the Equifax breach after the incident. New vulnerabilities are created every day, and organizations need to remain vigilant in order to find them before the bad guys. One way to do this is by creating a vulnerability disclosure program. Like a neighborhood watch for the internet, a vulnerability disclosure program that takes advantage of external hackers can ensure organizations find out about and fix vulnerabilities  before adversaries can take advantage of them. (While my company offers vulnerability disclosure programs, others do as well, and companies can also create them themselves.)

As discussed on Lexology, every vulnerability disclosure program is different, so you should customize yours to your organization's requirements and assets. Regardless of these factors, every program should include a website or other communication channel (such as email or a platform) by which to receive submissions from participants, an externally facing policy that sets out clear expectations for the program and processes that help you decide how vulnerabilities will be dealt with as they arise.

Your external-facing policies, or rules of engagement, should include what is in or out of scope (where hackers should and should not look for bugs), establish safe harbor for submitting hackers and provide clear instructions on how to report issues. (Is it via a "security@" email address or an embedded submission form on the security page?) If you're using a platform, it's important to consider how it will accept submissions (email, embedded submission form or public program page) and whether or not you can incorporate the vulnerabilities submitted into any other security programs you may be running. You should also look for platforms that can integrate with your existing workflows to ensure the vulnerabilities found can be easily shared with engineering and reported back to the security team once you fix them and that provide a custom reporting feature.

The U.S. government is already doing this. The 2017 Federal IT Modernization Report positions vulnerability disclosure as a best practice. This simple step empowers organizations to find and fix vulnerabilities faster and build helpful security feedback loops between builders and breakers to minimize the likelihood of cyberattacks and public disclosure incidents.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?