How secure is your business and its supply chain, and could it stand up to public scrutiny?
Too often when a company does a cyber boo-boo, it will get off pretty lightly by issuing a statement saying how seriously it takes security concerns, that no financial data was stolen in the breach, and that users should change their passwords to be on the safe side.
Security-minded people are likely to make a note of it in the back of their mind, but in general terms, the population moves on soon afterwards with little or no memory of what occurred.
Despite Yahoo finally confessing earlier this month that every single account was exfiltrated in 2013, the demographic and number of users that still rely on Yahoo services is unlikely to have changed.
And as for Equifax, which managed to have the personal data of around half of all Americans involved in a breach, there are very good questions to ask about how a company that failed at its one job — to keep confidential information confidential — is still in business, but perhaps the plethora of class actions will take care of that issue.
But these examples are massive, mainstream news-making breaches, and there are plenty of smaller ones that fly under the radar with little consequence.
While existing obligations such as data breach notification laws may require companies to inform users of their data being lost, in other circumstances, they may not.
Consider Australia’s upcoming data breach notification laws that only require organisations to inform users when they are at “real risk of serious harm”, alongside the case of Domino’s Australia trying to find out how its customer details have been used for spamming.
Ransomware: An executive guide to one of the biggest menaces on the web | Here’s every patch for KRACK Wi-Fi vulnerability available right now | Governments and nation states are now officially training for cyberwarfare: An inside look | Cybercrime and cyberwar: A spotter’s guide to the groups that are out to get you | Research: Companies see mobile devices as big cybersecurity threat
Leaked: Facebook security boss says its corporate network is run “like a college campus”
Ransomware: Security researchers spot emerging new strain of malware
Is spamming serious enough to warrant a disclosure to customers? And even so, how many people outside of technology circles are going to head to a rival pizza store this weekend based on the ongoing spamming incident?
I would suggest that it is not too many, given the pizza chain has been in a holding pattern for the past two weeks and has suffered previous breaches all over the world in recent years, and is nowadays in a stronger position than ever.
Due to the lack of collective memory over these incidents — and the headlong rush to put microphones, cameras, and internet-connected appliances into our homes under the cover of the smart prefix — a move to remind the everyday consumer of the infosec sins that have gone before, or could be permitted, is needed.
Enter the cyber star rating system — dubbed the Cyber Kangaroo in Australia — which would function like an energy star rating, but for the security of devices and organisations.
In a perfect world, not only would a company’s rating be impacted by its own security, but also those of its suppliers. In the Domino’s case, it appears that the pizza chain’s IT systems are free of guilt, but that working with an insecure supplier is the cause of the data leak.
Regardless of where the fault lies, as far as consumers are concerned, the leak is a result of doing business with Domino’s, and, as such, it should be made to carry the can were a rating system to exist.
A cyber rating would more succinctly explain the difference between the Android and iOS patching processes, for instance, than trying to explain to people how Android updates have to pass from Google to manufacturers and finally to carriers, while iOS updates come directly from Apple. Under a cyber rating system, iOS devices could have five stars, and Androids three or four, and consumers would only need to look at the scoreboard to understand why Pixels get updates quicker than Sony or Huawei phones.
As for the Internet of Things, those devices should be handed a zero rating until capable of being proven otherwise.
It is probably beyond the abilities and funding envelopes of governments to properly oversee such a system, so it is likely to fall onto the private sector, specifically those involved in cyber insurance, which seem to be the catch-all for the further maturation of information security.
The key to this information being effective for the general public is have it readily accessible either at the point of purchase or via a portal of some sort. By doing so, it would force organisations to treat security as a first-order concern, something that is viewable and comparable by potential buyers.
In the same way that a vehicle safety rating or an energy rating label is treated by consumers, companies that fail to give cyber its proper priority, or partner with or source from those that also fail to, should be held accountable in order to let the market perform better.
It’s not perfect, but it would be a vast improvement on what we have now.