Name and shame cybersecurity: a gift for cybercriminals?

The “name and shame” trend has become popular in cybersecurity: even FBI officials suggest using it. A couple of weeks ago, UK National Cyber Security Centre (NCSC) announced that it will name and shame departments failing to secure their emails (properly implement DMARC). The NCSC plans to incentivize government domain owners to implement email security measures by setting up a dashboard of red, amber and green indicators based on the level of email security in each government domain.

It is not yet clear if the dashboard will be freely accessible to everyone, but if so, cybercriminals should be very grateful for a centralized and up to date dashboard with governmental domains they can use in new spear-phishing and drive-by-download spam campaigns. Obviously, attackers can perfectly do continuous monitoring looking for new targets themselves, but why refuse free gifts?

During a recent IP Expo Europe event, James Lyne, head of security research at Sophos, said: “We’re about to enter a period where we’re going to name and shame” referring to the introduction of GDPR in 2018.

A few weeks ago, there was disturbing news wrapped within SWIFT’s announcement of SWIFT Customer Security Programme (CSP) introduction, in which SWIFT will “name and shame banks who fail to meet security standards”. Later, SWIFT fortunately clarified the situation, saying that the [member bank’s] compliance status will be made available to their trading partners within the SWIFT network only.

So, cybercriminals who are behind a series of recent SWIFT member bank breaches will continue to do their homework on new victims search themselves (assuming they have no insiders or backdoors among SWIFT stakeholders).

But let’s come back to GDPR (the full text of the EU regulation act is available here). According to Article 34 of the Act, in addition to supervising authority (as per Article 33), the controller [company that holds PII of EU citizens] shall communicate the personal data breach to the data subject without undue delay. Exceptions exist if the compromised data cannot be used for any malicious activities, for example was reliably encrypted. Administrative fines for GDPR non-compliance may go up to 10’000’000 EUR, or up to 4% of the guilty company’s total annual turnover.

According to a PwC publication on GDRP, a “part of the challenge of the GDPR is that it creates a funnel through which non-compliance turns into serious regulatory penalties, litigation and public disgrace. The funnel is the breach disclosure requirement, which will effectively require entities to wash their dirty linen in public.” A recent GDPR review conducted by Gartner, says that “once the EU GDPR comes into effect [May 2018], a single complaint could result in an audit and a fine for improperly handling personal data.”

After Brian Kreb’s website fell victim to an unprecedented DDoS attack, the industry was very concerned about the extraordinary power of DDoS attacks, capable to censure anyone on the web. However, with a GDPR enforcement, cybercriminals will rather breach their victim, loudly leak compromised PII in public, and wait for victim’s bankruptcy due to a tsunami of complaints. Taking into consideration that over 60% of web services contain at least one high-risk vulnerability, allowing database compromise – that wouldn’t be very difficult. In other words, GDPR may become an emerging nuke to eliminate competition by the European Court’s hands and in full compliance with the law.

Jan Schreuder, partner, Cybersecurity, PwC Digital Services, comments: “Mandatory breach disclosure has long been part of privacy legislation in the US and a number of other countries, however we are now seeing that data protection and cyber regulations are including it in proposed or enacted legislation and regulations. Organizations globally and especially in Europe need to prepare for a new world where data breaches will inevitably become public. Maintaining the trust of stakeholders including regulators, shareholders, customers and employees in case of a breach is of utmost importance, and recent experience has shown that the quality and timeliness of the communication from the organization’s leadership is crucial. Preparing your communication strategy in advance rather than in the heat of the crisis is an important element in planning your response to cyber attacks.”

The road to hell is often paved with good intentions. Something similar may occur with an overabundance of cybersecurity and privacy regulations, especially if name and shame practice will dominate them.

Nonetheless, common-sense approach to cybersecurity, holistic risk assessment and continuous security monitoring can not only assure reliable cybersecurity, but also help comply with almost any security standard or regulation, from PCI DSS to GDPR.