How ransomware is reshaping the regulatory agenda

Lock on Laptop Screen
(Image credit: Shutterstock.com) (Image credit: Future)

The regulatory world is a notoriously slow-moving one and it typically takes years of proposals, reviews, and redrafts before new regulations finally become law. It makes sense – when it comes to laws that could affect millions of people and reshape aspects of our lives, the highest level of scrutiny is essential.

However, this approach is being challenged by the relentless pace of evolving cyberthreats. With cybercriminal groups continually refining their attacks to maximize returns and inflict greater damage, governments are under pressure to respond and drive change with new frameworks and directives that will compel organizations to implement higher standards of security.

Regulations have an influential role in shaping security strategies and raising the security bar and, given the scale and cost of disruption left in their wake, ransomware attacks are a cause for particular concern for authorities around the world. Laws stipulating how organizations protect, respond to, and report ransomware attacks, are intended to strengthen our national cyber defenses and deter attackers.

This is to be welcomed; however, change takes times and compliance with regulations is not an end in and of itself. Organizations should also be taking matters into their own hands to stay ahead of the curve when it comes to proactively mitigating threats rather than waiting to meet the mandated minimum.

Dr Darren William

CEO and Founder of BlackFog.

The shifting regulatory landscape

Towards the end of last year, a report from the UK Government framed ransomware as a national threat, stating there was a high risk of a “catastrophic” attack. Given the scale of threats now faced, in May, the Government announced proposals around mandatory ransomware reporting, and a potential license agreement before victims pay any ransom demands.

With ransomware attacks now an issue of national security, threats against critical infrastructure tend to provoke the fastest reactions from governments. In the aftermath of the Colonial Pipeline ransomware attack for example, the US Government issued directives mandating enhanced security requirements for pipeline operators, setting a precedent for other sectors.

The disruption caused by encrypted systems is only part of the story, with attackers heavily focused on data exfiltration, millions of people are facing the prospect of their private details being bought and sold by criminal gangs on the dark web.

Accordingly, recent regulations have placed a heightened focus on data protection. Most recently, the proposed American Privacy Rights Act (APRA) focuses on data breach notification, consumer rights, and stringent enforcement mechanisms. APRA aims to unify disparate state laws into a comprehensive federal standard, significantly impacting how businesses handle and protect data.

APRA proposes a raft of consumer data privacy controls similar to those of the GDPR, coupled with more stringent responsibilities for companies to keep data safe. This includes requirements around identifying vulnerabilities, testing systems, and improving employee training on security protocols.

With the stakes rising for businesses that fail to adequately protect systems and data, regulatory change is also putting the actions of senior executives under the spotlight. This focus on individual accountability and responsibility is a growing trend, with CISOs and other top decision makers facing the threat of personal liability in the event of serious breaches. The SEC’s new stance on security disclosure requires incidents to be reported within four days and places liability on CISOs to ensure this happens. In a landmark case, the SEC charged the CISO of SolarWinds with fraud and internal control failures over the company’s notorious software supply chain breach.

Collaboration is key for effective regulations

UK Directors may well look at this development with concern, and the global nature of security trends means that we should take notice of major regulatory changes on both sides of the Atlantic. The common denominator is that, for regulations to be effective, they must be realistic and feasible for companies to implement. Governments and regulatory bodies can create more effective regulations by engaging with industry experts to understand practical constraints and capabilities. Simplifying compliance processes and offering clear, actionable guidelines can help ensure that regulations enhance security rather than hinder it.

To achieve this, consultation with industry experts is essential when drafting cybersecurity regulations. Regulations have a better chance of being followed if they are informed by practical insights from industry professionals. Collaboration with security professionals also ensures that policies are not only enforceable but also effective in addressing current threats.

Cross-industry collaboration is equally vital so that best practices and innovative solutions are shared between decision makers in different fields, as well as between public and private sectors. This is especially important as threat groups use the same tactics across multiple sectors. By working together, governments and industries can prioritize data protection and increase resilience against disruptive attacks.

Strategies to boost resilience

Businesses must rigorously assess their data security measures against government and industry regulations however, compliance should be seen as the minimum standard rather than the ultimate goal.

They should actively pursue strategies to boost resilience, rather than waiting until regulations make it mandatory. This includes implementing multi-factor authentication (MFA), conducting regular security audits to identify weak points, and bringing in capabilities to identify malicious behavior and prevent data exfiltration. Training employees on cybersecurity best practices is also crucial.

With attackers intent on data exfiltration, monitoring outbound traffic so that data theft can be stopped before anything leaves the system is one of the most important layers of any cybersecurity strategy.

However, we often find that enterprises are so worried about monitoring for signs of external threats coming in that they overlook what’s going out. And because they don’t have effective monitoring in place, they don’t know enough to know if they even have a data exfiltration problem.

It’s similar to what we saw at the height of the COVID pandemic, where countries would declare they had low infection rates because they weren’t actively testing. There are many companies out there confident in their strategies because they aren’t looking in the right place to realize they might have a problem.

By preventing systems from being compromised through strict access controls and stopping sensitive data leaving the network through measures like anti data exfiltration (ADX), organisations can avoid being forced into the position of negotiating with attackers or having their data end up on the dark web. Threat groups meanwhile will move on in search of easier, less well-prepared marks.

As governments and regulators around the world begin placing greater focus on reporting processes and data protection, organizations should be braced to meet more compliance needs in the near future. Prioritizing visibility and control over system access and critical data will reduce the impact of disruptive attacks and prepare companies to meet the demands of regulators as lawmakers take more measures to strengthen our collective defenses.

We've featured the best endpoint protection software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Dr Darren William is CEO and Founder of BlackFog.