Should companies be fined for not doing cyber security basics?

The big headline-grabber about the General Data Protection Regulation (GDPR), set to come into force in 2018, is the huge fine that can be imposed on companies that have failed to comply with the legislation. The GDPR, which replaces the 1995 Data Protection Directive, sets the maximum fine for a single breach of GDPR at the greater of €20 million or 4 percent of annual global revenue.

Either would be an eye-watering figure for most companies. But while the EU has displayed considerable teeth in the GDPR rules, which include reporting a fine within 72 hours and for certain companies appointing a data protection officer, there is not a fine for actually being breached. A fine for the mere fact of a breach might be unfair considering that some attacks are advanced enough to be, to all intents and purposes, unblockable.

Yet many modern attacks are telling by how easy they would have been to prevent. According to the 2016 Verizon Data Breach Investigation Report, most attacks exploit known vulnerabilities that have not been patched even though patches may have been available for months or years. The report found that the top 10 known vulnerabilities accounted for 85 percent of successful exploits, while 63 percent of confirmed data breaches involved using weak, default or stolen passwords. As Rik Ferguson, Global VP of Security Research at Trend Micro, says, a SQL injection “should not succeed” in 2016. Yet TalkTalk was hacked successfully through that very means in 2015.

So should companies be worried about fines at some point being introduced for not being breached per se, but for failing to take even the basic security measures needed to protect themselves?

There is some means in place to levy fines, at least in TalkTalk’s home country of the UK: it was hit with a fine by the Information Commissioner’s Office (ICO) for failing to take basic steps to protect customer information. But compared to the scale of a GDPR fine, having to pay £400,000 (about 0.02 percent of the company’s annual revenue) is not a truly daunting figure – certainly not one that is likely to drastically alter its investment or strategy.

The rest of the cost of the breach, estimated by TalkTalk at £60 million, was felt elsewhere, in damaged reputation and customer losses, but still only amounted to around 3.3 percent of the revenue figure. For a fine to force action it would have to be something genuinely business-impacting like the GDPR. TalkTalk received a £400,000 fine for not doing basic security practices. As Steve Manzuik, Director of Security Research at Duo Security’s Duo Labs, says, financial penalties are often treated as simply another cost.

“Businesses are going to make a risk-based decision. If the fine is cheaper than what it would take to build security, they may just take the fine.” He uses the hypothetical example of a $100,000 investment to tackle security issues or $50,000 on a fine. Manzuik says that many will just take the risk of the latter and just buy insurance. “While it’s frustrating, from a business and risk perspective it probably makes sense to those people running the business.”

Putting in place larger fines for failing to observe cyber security basics would need both the will and the means to enforce them. As Quocirca Analyst and Director Bob Tarzey says, the immediate question is not what, but who: which authority would implement such regulation in the borderless world of the internet? An immediate candidate does not suggest themselves, although for the regulation to have any meaning at all it would have to apply across borders.

If the EU or whoever could apply such rules, though, Dan Wiley, Check Point’s global head of Incident Response & Threat Intelligence, says that there is not the will amongst lawmakers to protect citizen data. “[GDPR] is just to protect the banks and their assets; it’s not to protect [the citizen]. “If they wanted to protect you, they would say all data must be encrypted everywhere and no-one can have a back door, no one can see anything: complete security. “They would say that, but they don’t want that.”

He highlights the recent revelations that British security agency GCHQ had been systematically breaking the law in snooping on citizens. Wiley also says it is unfeasible to assign an arbitrary value to protecting data when different data is valued in different ways. Not all data is inherently of the same value, and it would probably be both unreasonable and undesirable for an app start-up handling some minor metadata to be punished to the same degree as a bank handling hugely valuable financial data.

There would also be huge difficulties on agreeing what cyber security basics are and what businesses should be expected to do as a bare minimum. Doubtless the industry itself would be required to give some input, but who’s to say that a firewall is needed but not adaptive threat redaction, for example?

The law of unintended consequences also comes into play. Chris Boyd, Malware Intelligence Analyst at Malwarebytes, notes that “companies are afraid of reporting stuff anyway. “There will be lots of companies who have lost fortunes and for obvious reasons are never going to tell anyone about it. No-one has any sort of incentive to go and report it. Manzuik from Duo Labs echoes the sentiment: “The higher fines are going to make people find ways to not have to report that they had a breach.”

This may spill over into worse cyber security overall. After all, as many including the CISO of Swift have said, information sharing is required if security is going to be improved. “If I know that my company will be fined because I didn’t do the basic security hygiene stuff, I’m going to be less willing to share how I got breached,” says Manzuik. Bob Tarzey notes that there already exist some guidelines and rules around data in some industries:

“PCI-DSS (which deals with payment card information) is prescriptive and not a bad basis for putting in place the requisite security for data protection. ISO27001 also provides good guidelines, however, this is not a regulation, but a standard for good data protection practice.”

While it would in many ways be comforting to their customers if companies faced huge penalties for not taking basic security measures, it does seem unlikely that such fines will manifest any time soon.
However, although companies may not be getting a GDPR-like kick into action, the (non-regulatory) costs faced by those such as TalkTalk in their breaches should be motivation enough.