You can’t keep quiet when you’re hacked anymore

One of the dirty little secrets of many businesses, perhaps even most, is that far more of them than ever admit to it have been hacked. Still others end up paying ransomware, but they’ve never revealed this deep, dark secret. After all, who wants to admit to the world — and their customers — that they’ve been caught with their security pants down.

Well, things are about to change. In the recently signed $1.5 trillion government funding bill were new cybersecurity laws requiring companies to quickly report data breaches and ransomware payments. 

Whoops.

Sure, you were always supposed to report cybercrimes to the FBI’s Internet Crime Complaint Center (IC3), your nearest FBI field office, or report it at FBI Tips. But how many of you really did that?

According to the Department of Justice (DoJ) only one in seven victims of cybercrime fess up to having been hit. I’m surprised that even that many will reveal they’ve been successfully attacked.

No one likes admitting they’ve made a major mistake. That’s especially true when your customers might take one look at the news of your security blunder — and take their business to your rival.

Another reason is that the vast majority of successful attacks come not from being targeted by an elite team of hackers, but from employee ignorance and negligence. There’s a reason I keep writing about how to avoid being phished. It still happens all the time. Simple e-mail phishing tricks to get you to click on a link or open a file are still one of the top ways an attacker makes it into your systems.  

The other big reason companies get hacked is someone inside maliciously — or stupidly, it’s sometimes hard to tell the difference — opens the door to an attacker. In either case, no one inside a company wants to admit to those kinds of “fire me now” mistakes.

Well, the days when you could just do your best to fix the blunder and then pretend it never happened are ending.

While the exact regulations are yet to be written, going forward the Department of Homeland Security’s (DHS’s)  Cybersecurity and Infrastructure Security Agency (CISA) will demand you keep them in the loop when your security goes awry.

To be exact, if your business is in one of 16 critical infrastructure sectors, you’ll need to let the CISA know when you’ve been successfully attacked. To be exact, the new law requires you to report hacks within 72 hours of the discovery of an incident, and 24 hours if you make a ransomware payment.

Before you hyperventilate, take a deep breath. It may be the law of the land, but the regulations that turn that law into something you must obey haven’t been written yet. According to the major international law firm Holland & Knight, “The new cyber reporting obligations will not become effective until CISA promulgates rules to define the entities within the critical infrastructure sectors that will be impacted by this law and the types of substantial cyber incidents it covers.”

The CISA has two years to write up the regulations and then 18 months until they become final. Making laws and regulations is a long, tedious process.

In addition, not everyone in the government is keen on this new law. In what appears to me to be a classic governmental turf war the Justice Department and FBI don’t care for it one little bit. FBI Director Christopher Wray thinks it “has some serious flaws” and “would make the public less safe from cyber threats” because it sidelines the FBI in favor of the CISA.

Be that as it may, some kind of legal insistence that businesses actually report and track break-ins and ransomware attacks is coming. Get ready.

And — just a thought — how about taking better care of your security today so you don’t need to worry about explaining why you didn’t report a significant incident tomorrow.