Cybersecurity regulations present new business risks

With the global cost of cybercrime estimated at $8.4 trillion in 2022, governments feel rising pressure to take action with cybersecurity regulations designed to protect consumers. But for businesses affected by cybercrime, these new regulations may add insult to injury.

Businesses targeted by cybercriminals already face disruption to their normal operations. It takes time and money to recover critical data and intellectual property, restore business systems and shore up protection against future cyberattacks. Employees lose productivity — sometimes for weeks. And the business may experience long-term reputational harm or lose customers and marketshare.

With expanded cybersecurity regulations, businesses now face an additional consequence of penalties.

Cybercrime: a growing threat to businesses

According to research by Ponemon Institute, the global average cost of a data breach for small- and medium-sized businesses was around $3.3 million USD in 2022.

More often than not, it’s the humans who are the weakest link when it comes to cybersecurity. Phishing, stolen or compromised credentials, and business email compromise represent three of the top five initial attack vectors. Yet, even when companies budget for cyber strategy, they tend to focus on technology and neglect employee training.

Ransomware: the big bad wolf of cybercrime 

A ransomware attack is when a cyber criminal attempts to extract a ransom from the victim. In one common scenario, the attacker will encrypt the victim’s files to render them inaccessible. In another, the attacker extracts sensitive files and threatens to publish them.

Businesses today face cyberattacks ranging from phishing attempts and supply chain threats all the way to nation-sponsored attacks. But of all the strategies employed by cybercriminals, ransomware attacks pose some of the biggest and costliest threats. 

In fact, global ransomware attacks will cause damages in excess of $30bn in 2023. These attacks affect virtually every industry, and they are growing in intensity. With few barriers to entry, ransomware attacks present a low-risk, high-reward strategy for cybercriminals. 

The case of WannaCry   

You may remember the WannaCry ransomware epidemic that shook the cybersecurity world in May of 2017. This crypto-ransomware targeted machines running Microsoft Windows, encrypting data and demanding Bitcoin to return it. Affecting more than 200,000 computers across 150 countries in just one weekend, the attack’s total cost was in the billions. High-profile organizations, including FedEx, Nissan, Bank of China and the National Health Service (NHS) in the UK fell victim.

So, how did this happen? Interestingly, Microsoft had released an update to address a vulnerability in their system a few months before the attack. However, cyber criminals were still able to exploit the weakness in unprotected machines. The attackers demanded victims pay a bitcoin-equivalent ransom of $300 within three days. (The amount later doubled.)

Many of the targeted organizations were quick to take action. However, the WannaCry ransomware cryptoworm is still out there, infecting victims and encrypting data.

Governments respond with critical cybersecurity regulations

In response to increased cybersecurity threats, government entities around the world are introducing new laws and regulations. Now, the business implications of a cyberattack are bigger than ever. As part of their recovery from an attack, organizations may also face fines for violating cyber regulations.

Here are a few of the most common:

GDPR in the EU and UK 

Beginning in 2018, and spanning across the EU, GDPR tightened the rules on how businesses can market to individuals. Potential penalties for violating the rules can reach £17.5 million or 4% of annual turnover – whichever is greater.

Strengthening American Cybersecurity Act (SACA) in the US 

SACA was signed into law by President Biden in March 2022. It requires critical infrastructure organizations to report breaches to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Businesses must report ransomware payments within 24 hours.

Businesses may face challenges meeting the breach reporting timeline. According to IBM, it takes an average of 280 days to detect a ransomware attack.

State-specific data privacy regulations in the US

A number of state-specific data privacy regulations — many modeled after the California Privacy Rights Act (PCRA) — were introduced recently.

(For a closer look at the details, we have a one-page overview of US data privacy regulations you can download.)

The Product Security and Telecommunication Infrastructure (PSTI) Bill in the UK 

The PSTI Bill enforces stricter security requirements for manufacturers, importers and distributors of IoT devices. If businesses breach the rules, they may face fines of up to £10 million and 4% of their global turnover.

Thanks to Crosslake security consultant, David Cooper, for his contributions to this post.

To learn how Crosslake can help your business achieve critical security certifications, tighten up your security foundations or run your security program under the guidance of an experienced CISO, reach out to our team.