A new bipartisan bill dubbed the Cyber Incident Notification Act of 2021 was just introduced by the Senate Intelligence Committee. The new legislation, if approved, mandates all government contractors, agencies, and critical infrastructure operators report all cybersecurity incidents and ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of experiencing a breach or intrusion. Failure to do so will result in steep fines as high as 0.5% of the firm’s prior year gross revenues—per day the violation continues.
For example, if a business’s annual gross revenue is $1 billion, the firm could face fines of up to $5 million per day for each day it does not disclose the incident. Contractors that violate disclosure requirements may be subject to additional penalties, such as removal of the business from the federal schedule.
That said, the bill does grant limited immunity to companies that report a breach. In addition, federal agencies will help investigate root causes and provide recommendations to mitigate the breach or intrusion.
Why is breach notification such a big deal?
Cyberattacks are known to cause ripple effects for hundreds or thousands of companies. If victims report breaches in time and swift action is taken, it is more likely that the threat will be neutralized or contained before it inflicts catastrophic damage.
Currently, there isn’t any federal obligation for companies to report breaches. Some state laws do mandate breach disclosure; however, studies show that companies take 53 days on average to disclose breaches.
The bill also presses CISA to initiate contact with the victims within two business days of the breach notification so the government can mobilize its full resources in a bid to reduce the scale of the attack.
CYBERSECURITY IS A NEW LEGISLATIVE POLICY
As many as 18 new cybersecurity bills — many with bipartisan support — are in the pipeline for the Senate to approve. From boosting security infrastructure to improving security literacy, communication, and coordination between government entities, there are several new bills on the horizon in the wake of the Colonial Pipeline ransomware attack, which is considered a national emergency.
Recently, the House panel approved a historic increase in CISA’s cybersecurity budget. A new executive order that forces software companies to disclose breaches to federal customers is also in progress.
What does this mean for businesses in general?
The U.S. faces more than seven ransomware attacks an hour, while phishing scams have grown more than 800% in the past two years. If you are a medium to large organization or a government supplier, you must have adequate security measures in place, and you must also notify the relevant authorities in case of a breach. If you are a small business, realize that cyberattacks could cost you $25,000 annually. There is even a possibility that attackers are targeting you because you are a supply chain partner to a large organization that could be a government supplier.
While the current laws only apply to organizations that are directly related to the government, we must all do our bit for our own safety and in the interest of national security. Here are our top three cyber security tips for organizations in general:
1. Improve security awareness in your organization: Ninety-one percent of all cyberattacks begin with a social engineering attack, so it’s extremely important for businesses to continuously improve security awareness internally. Humans are the weakest link in the security chain, but they can also be your strongest last line of defense.
2. Patch your systems regularly: Fifty-seven percent of breaches can be attributed to poor software patching and that’s why it’s extremely important that systems are inventoried, assessed, and patched regularly. Also, turn off RDP (remote desktop protocol) on all machines in your network and use more secure remote access methods.
3. Improve credential hygiene and use multi-factor authentication (MFA): Employees must change their passwords regularly and businesses should use MFA or additional verification methods to authenticate users.
If you get hit by a cyberattack like ransomware, always remember to:
• Isolate affected machines immediately: Remove affected devices from the network to contain the spread of infection. If you are unable to do so, try and power the devices down.
• Update your passwords: Make sure you change each and every password to ensure attackers are unable to leverage compromised or stolen credentials.
• Notify federal agencies or law enforcement: Some researchers have already broken encryption algorithms of some ransomware strains. Perhaps they can help you recover or provide adequate guidance.
• Contact cybersecurity insurance (if you have it): Insurance carriers usually have a skilled ransomware expert on staff. They can help with ransomware negotiations and also provide recommendations on the best next steps.
• Execute your incident response plan: If you have an incident response plan in place, now is the time to put it into action. If your customer data is stolen, it might be a good idea for the legal and media teams to take control after consulting management teams.
• Flush out the root causes: Make sure you plug all your root causes that led to the cyberattack in the first place. Remember, ransomware is a symptom, not the root cause.
Historically, cybersecurity and national security were discussed in silos. As more and more physical assets morph into the digital world, cybersecurity will become a key focal area for everyone, including lawmakers, business entities, and ordinary citizens. In the interest of security and development, all parties must come together and work toward a common goal to develop and nurture a culture of cybersecurity.
Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform.