The threat posed by hackers and online criminals is very real, but reports of instances of cybercrime may not be very reliable. When cyberattacks are announced the data can be used to estimate the current threat level. Unfortunately, not all cybercrimes are reported by companies, and even IT departments are often unaware that employees have become victims of phishing campaigns.
In certain industries, the reporting of cybersecurity incidents and data breaches is mandatory. Take the U.S healthcare industry for example. Legislation has been introduced – The Health Insurance Portability and Accountability Act (HIPAA) – which makes it a criminal offense not to report a breach of patient data. If an organization is discovered to have violated the HIPAA Breach Notification Rule, a heavy fine can be issued by the Department of Health and Human Services’ Office for Civil Rights.
The Federal Trade Commission and state attorneys general can also issue fines. Criminal charges can also be filed against individuals for willful neglect of HIPAA Rules. Consequently, it is in the best interests of organizations to report cybersecurity incidents. The data breach reports submitted to the OCR can therefore be relied upon to be reasonably accurate, and it is possible to build up an accurate picture of the state of data security for the healthcare industry.
However, not all industries are so well regulated. A similar data breach suffered by a software company or mining operation may see the organization keep the crime quiet. Announcing a security breach has potential to seriously tarnish a brand.
If you had a choice between one company that had suffered a data breach that exposed sensitive customer data, and one that had not, which company would you choose (all other things being equal)?
Should the reporting of cybersecurity breaches be mandatory for all businesses?
Many privacy and security professionals believe it is essential to report cyber threats and security breaches as the sharing of information can be invaluable in the fight against cyber crime. Intel sharing could make the difference between a threat being rapidly neutralized and many other organizations suffering data theft. This is an ethical responsibility. Should it also be a legal responsibility as well?
The United States has been proactive in the fight against Internet crime. The government and law enforcement agencies are well aware of the importance of sharing intelligence in order to tackle the increasing cybercrime threat.
In 2000, the Federal Bureau of Investigation, the National White Collar Crime Center, and the Bureau of Justice Assistance formed a task force which was dedicated to fight Internet crime. The Internet Crime Complaint Center (IC3) serves as a centralized hub that receives complaints about Internet crime and processes threat intel received from American citizens and U.S businesses. All leads received are passed on to the appropriate federal and state-level law enforcement agencies. The data received by IC3 has been instrumental in bringing thousands of Internet criminals and fraudsters to justice.
IC3 also ensures that individuals and companies suffering losses as a result of the actions of online fraudsters have someone to contact to report the crime. Other countries have started to develop task forces that perform a similar function. Victims of cyber crime are being given a single point of contact to report fraud, scams, identity theft and online extortion, and the intelligence gathered can be used to bring the perpetrators of these crimes to justice.
Harsh Penalties await Online Fraudsters and Cybercriminals
In the United States, online criminal activity carries stiff penalties. New legislation is introduced regularly to increase the punishments for individuals who turn to the Internet to commit crimes. These include:
Spamming: Under the CAN-SPAM Act, spamming is punishable with a minimum fine of $11,000. Depending on the method used to send email spam, the penalties can be much more severe. The use of spambots to collect email addresses can result in jail time, as can the unauthorized use of a computer to send spam emails.
Hacking: Hacking is a federal crime that carries stiff penalties. These are linked to the seriousness of the crime, but a spell of up to 20 years is jail is possible, as well as very heavy fines.
Identity Theft: The penalty for identity theft has recently been increased, with individuals able to be sentenced to 5 years in jail. Aggravated identity theft sentences must be served consecutively to any other sentence issued.
Make sure employees are aware of procedures to follow if a security incident is suffered
Employees falling for phishing campaigns – if they are even aware that they have – may also choose not to report the incident to their managers or IT departments. Individuals may be worried about looking stupid or, worse still, losing their jobs.
However, it is essential that all potential security incidents are reported internally. Organizations should make sure the staff is aware that the reporting of security breaches, email scams and phishing campaigns is essential to protect the business. Internal security policies must exist, and members of staff must be made aware of the correct actions to take if they have fallen for a scam, revealed sensitive information, or have received a suspicious email. Oftentimes, fast action can make the difference between huge financial losses being suffered and the threat being neutralized before any damage is caused.
While law enforcement bodies may need to be alerted to instances of identity theft and phishing campaigns, employees should have a single person within their company to whom security incidents can be reported. Every employee in an organization must be made aware of the urgency required and the individuals who must be alerted to suspicious emails and potential criminal activity. If the staff is security aware and acts appropriately, major cybersecurity losses can be prevented.