Will penalties reduce cybersecurity breaches?
This year's attack on Albanian government IT systems has resulted in dire consequences for the government IT workers in charge of administering the affected servers: in late November, Albanian prosecutors requested the employees to be placed under house arrest for failing to update and patch the government computers. The Albanian IT officials are reportedly accused of “abuse of post,” which can carry penalties of up to seven years in prison, according to the Associated Press.
Even proponents of harsher penalties see the unintended consequences here: it will certainly get more difficult for the government to hire IT talent in the future, and it's hard to see how imprisoning people who failed to download software updates will improve the state of cybersecurity, unless the underlying reasons for security failures are tackled.
Cyber attacks are growing relentlessly and customer records are leaking on a daily basis, even if most governments have been introducing legislation imposing heavy fines on companies for years already.
For example, the General Data Protection Regulation (GDPR) was expected to revolutionize how companies and organizations in the EU treat data and address cyber security in order to minimize incidents. However, the fines under GDPR (up to 4% of global revenue) did little to reduce the wave of successful data breaches.
Governments across the world are now poised to toughen the rules and impose ever harsher penalties. Recently, the Australian government proposed a five-fold increase in the maximum penalties that apply to data breaches, going as far as a fine of 30% of a company's turnover in the period relating to the breach, dwarfing GDPR. It's certain other governments will follow this trend.
For once, the fines increase the incentives for cyber attackers and threat actors. Ransomware-as-a-service operators will certainly benefit and adapt further: when companies are faced with higher penalties, some will be more inclined to pay higher ransoms and less willing to report breaches. Threat actors are already leveraging this in so called double extorsion schemes, where they exfiltrate data prior to encryption and then threaten to leak the stolen data as leverage during negotiations.
Rather than focus on penalties, a much more productive approach is to incentivize and foster the adoption of secure practices, most importantly:
Eliminate as much as possible services that are hosted on-premise and prioritize the move to as-a-service offerings (SaaS), as recommended by CISA. In the case of Albanian attack, the initial access was obtained through on-premise application servers, which are much harder to maintain.
Use multifactor authentication wherever possible, and rely less on passwords. These are routinely harvested by attackers, once they have a foothold into an organization.
Deliver security awareness trainings continuously (automated and non-intrusive solutions do exist). Tricking employees into clicking on malicious content is still the most common technique used by threat actors.
