It is becoming increasingly apparent that regardless of what the letter of the law may require any failure to disclose a security breach is now beyond the bounds of socially acceptable corporate behavior.
The latest disclosure controversy revolves around Okta, a provider of a widely used platform for authenticating end users. In January, the Lapsus$ data extortion group apparently managed to compromise an account of a service technician employed by a service firm that partners with Okta. That breach was investigated, but last week Okta issued a statement detailing the timeline of events and acknowledging the fact more should have been done to respond to the incident faster.
While there are a lot of tongues clucking about this incident, there is no cybersecurity or IT professional that hasn’t wrestled with the same disclosure issue. Most security and IT professionals know just how easily they could find themselves in the same situation. Compromises of credentials are now almost routine. It’s hard to distinguish what constitutes a major breach. In many cases, no one is quite sure of the extent of a breach until cybercriminals let everyone know about it. In this latest instance, it appears a teenage member of Lapsus$ wanted their bragging rights to be officially recognized. Most other cybercriminals generally try to lay low after a successful breach.
New legislation and increased social pressure
All this attention on disclosure just happens to coincide with pending legislation that will require organizations that operate critical infrastructure to report breaches. Those organizations span everything from operators of pipelines to financial institutions. Not every organization is going to be required to disclose, but the prevailing sentiment is moving toward an expectation of full disclosure. The end customer does not want to be left wondering what else might have transpired that they don’t know anything about. Everyone knows a cybersecurity breach can occur for any number of reasons. The appearance of trying to cover up that breach is what results in a loss of confidence that is extremely difficult to recover. We are on the cusp of a new era where the failure to disclose a breach can cause more disruption than the actual breach itself.
On the plus side, however, the need to disclose breaches is also likely to force the boards of organizations to pay more attention to cybersecurity in general. They say the best cure for any type of infestation is sunshine. One of the biggest issues that cybersecurity teams still often wrestle with is the level of risk many businesses are willing to take based on the simple assumption that cybercriminals will focus their efforts on some entity that is less fortunate. It’s basically the equivalent of a herd mentality that assumes there will always be some weaker organization that falls prey to a cyberattack. The trouble with that theory is it not only doesn’t account for the number of predators there really is, it also fails to recognize their insatiable appetites. Once a weakness is detected, cybercriminals simply keep coming back for more.
Full disclosure of cybersecurity breaches is intended to strengthen the ability of the herd to respond to threats. It may not lead to the takedown of a predator, but when acting in concert for the common good there are plenty of instances in nature where the herd not only survives but thrives regardless of how fast or strong any predator might be, with the possible exception of humans. Of course, the surest way possible to either fall victim to a predator or simply starve to death is to be ostracized from the herd altogether. Like it or not, that may very well soon be the fate many organizations will soon face if it ever comes to light they put their own self-interest ahead of the rest of the community they depend on to exist.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.