The European Union has officially proposed a new directive to require organisations in a number of industries to notify any security breaches to authorities. The new Directive would affect enablers of key Internet services, such as large cloud providers, social networks, e-commerce platforms and search engines, the financial sector and critical infrastructure services including energy, transport and health as well as public administrations. The Directive would also force EU member states to establish a Computer Emergency Readiness Team (CERT) and to share security threat data with other states in a co-ordinated way.
“This new law is exactly what the public needs in order to restore consumer confidence in cyber security, which has clearly eroded across all industry sectors over the past couple of years. There is an urgent need for organisations to reassure consumers they are capable of safeguarding networks, and the public is increasingly demanding mandatory disclosure of any incidents in which data has been compromised", said Ross Brewer, vice president and managing director for international markets, LogRhythm.
“Our recent research shows that 80 percent of the UK public implicitly do not trust organisations to keep their data safe, ranking social networks and gaming sites the least trustworthy organisations. As such, it’s great to see that the EU proposal is in line with public demand by including major internet companies such as social media companies in its list of key companies required to report any IT security breaches. There are, however, some glaring omissions, with many organisations entrusted with vast amounts of high worth data seemingly unaffected by the proposed directive", he continued.
“No organisation should wait for new legislation to obligate them into maintaining a transparent IT security strategy. With data breach incidents reaching an all-time high last year and affecting an increasingly wide range of organisation in various different industries, it is only a matter of time before mandatory data breach disclosure is required across the board. With traditional perimeter security solutions now clearly an inadequate defence, organisations must ensure they have IT security in place that effectively formulates damage limitation strategies while also future proofing against increasingly stringent legislation and ensuring the generation of accurate breach notifications.”
Jarno Limnell, director of cyber security at Stonesoft disagrees. According to Jarno, increasing regulatory and legal requirements are not the right way to solve cyber threats and risks.
“The rules proposed by the European Union reflect the misunderstanding that currently prevails in Europe, namely that everything, in this case cyber threats, can be solved by creating more statutes, directives and restrictions. This is neither the right nor the most efficient way to improve European cyber security", he said.
“Instead, what is needed is for each European country to have an authoratative cyber agency, such as CERT, with very skilled personnel, who take cyber security threats and challenges seriously. However, at the same time – with regards to the proposed rules and regulations – from a constitutional point of view, the same agency should act as both as an investigator and as a punisher".
Martin Sutherland, Managing Director of BAE Systems Detica, welcomed the strategy but stresses that, in terms of risk assessment and breach disclosure requirements, it is imperative that the strategy drives positive behaviour and information sharing about cyber risks rather than deterring honest disclosure for fear of reputational damage.
He said: “Implementing a cyber security strategy to formalise best practice for EU members and the businesses that European economies rely upon is an important step in combating cyber attacks that know no borders. The strategy will also support EU member initiatives already implemented, such as last year’s update to the UK government’s cyber security strategy.
Paul Ayers, VP EMEA of data security expert Vormetric believes that the move harmonises an otherwise disjointed approach in the fight against cybercrime.
He said, “Cybercrime is a highly-sophisticated and destructive industry targeting organisations of all shapes and sizes. It can damage brands and result in painful compliance penalties. It is no wonder that many businesses have been anticipating the arrival of more stringent data protection legislation – these new proposals are indicative of things to come and set new parameters for businesses endeavouring to operate in a compliant manner on the international stage.
“While the litany of highly visible data breach incidents in 2012 galvanised many organisations to revaluate their security measures, some businesses clearly have a considerable way to go. As the custodians of their customers’ data, any organisation touching sensitive information must look to place security controls around sensitive data, as this ultimately is the target of attack. In the face of tougher monetary penalties and legal sanctions for security negligence, encryption of all data is no longer a reasonable expectation – but an absolute necessity.”