As data breaches increased in the last decade, cybersecurity gained the attention of multiple governments, driving policies on transparency and vulnerability disclosures
Over the last 20 years, the cybersecurity industry has often said that every breach will be a wakeup call that the industry needs. Now, since the breaches have started to impact consumers, it is time for a real shift in the cybersecurity landscape.
Last month when the US Senate released the investigation report titled, ‘How Equifax Neglected Cybersecurity and Suffered a Devastating Data Breach’ it was revealed that poor cybersecurity practices were what led to the breach of data of 143 million users. This breach by the data analytics company is the latest one, but not the only one. Some of the top breaches in 2018 included one by Marriott and British Airways. Experts believe that in cybersecurity, almost all the companies are doing the basic things right, which are sometimes the most difficult things to do.
With increased accountability from the ground up, consumers have started fearing personal data breach and identity thefts. Now it has become necessary to include security marketing.
A study by Sonatype via Fortune found that almost 60% of the Fortune Global 100 companies had downloaded vulnerable versions of the software that was targeted for the Equifax breach, even after the incident. Experts believe that companies need to have vulnerability disclosure programs that help organizations fix them before adversaries can take advantage.
Regulators are expecting companies to play an active role in managing vulnerabilities in their systems including by vulnerability disclosure programs. As per the 2017 Federal IT Modernization Report, vulnerability disclosure is the best practice. The Federal Trade Commission recently “encouraged” companies to develop processes that can manage and respond to vulnerability reports. The US Department of Justice also issued detailed guidance on the way to institute a vulnerability disclosure program. The Food and Drug Administration also included a point of ‘a coordinated vulnerability disclosure policy and practice’ in its guidance that was issued for cyber risk management programs for medical devices. Experts feel that regulators will maintain their focus on the implementation and development of vulnerability disclosure programs.
Every vulnerability disclosure program is different and each company has to customize according to their requirements and assets. According to experts, every program should include an email or a website to receive submissions from participants. The external-facing policies must include what is in or out of scope and establish a safe portal to report issues.
Vulnerability disclosure programs also provide an opportunity to structure engagement with the governments and publicly demonstrate a commitment to responsible cybersecurity practices.
With the government’s involvement in not just issuing the policies, but also guiding the way around it is seen as a positive change. Security is becoming a board-level discussion since the shareholders are demanding answers on what these companies are doing to keep data secure.