Aaron Zander, Head of IT at HackerOne, says 2019 was no tipping point, but he sees “a line in the sand,” where businesses will stand up and be counted in the areas of security and transparency.
Government, healthcare and financial organisations are still very attractive targets for cybercriminals. These types of businesses hold databases full of sensitive and valuable information, so this threat isn’t going away any time soon.
2019 felt like it was set to be a good year with more companies really starting to invest in security, but it still seems like a small inflection, and not the tipping point.
When we look back, almost every company that had a major breach in the past year has fully recovered in stock value. I want to see more exec heads roll, more fines, and maybe criminal charges in 2020. Negligence with my data should be considered criminal negligence, and this will place more pressure on organisations to up their security measures.
Personally, I think 2020 will be the year that we see these fines really pay out, giving businesses no choice but to up their game.
Ransomware a major challenge
One of the major challenges we have seen in the industry this year is ransomware. It is still devastating banks, hospitals and governments because they have always been behind in investing in security and IT, and haven’t invested in sufficient backups either. If you don’t have a backup and recovery process documented AND tested, do that.
There is definitely a trend towards financial organisations demonstrating that they invest in security. After all, we trust banks with our most valuable data so, as the public, we want to know our security is being taken seriously. And there has been more of a move towards public disclosures, it proves you can do security, and it builds trust.
While we need to ensure there are consequences for negligence with data, we don’t want to see cover ups – we should not punishing people who are investing in security and are then honest if a breach occurs, instead we should celebrate disclosure.
Understandably this can be tricky for financial organisations, however, there are lessons we can all share and learn from. What is important is that as an industry we aim to be secure and are honest.
A line in the sand
We are starting to see a line in the stand, drawn by organisations who want to stand up and say, “we care about security and we care about transparency”. This is something we have seen more of in the past year, and there are some leading financial organisations that are taking these steps and investing vulnerability disclosure programs.
Some may see this as a “half measure”; there are many hackers in the community that want to see every organization have a bug bounty. That’s a dream for the future, what’s important now is ensuring a safe place for people to disclose security issues.
Additionally, by disclosing an issue, a company can have a positive impact by showing it is a trusted leader in the space, a place that greets security feedback with open arms, and most importantly, cares about its user/customer data.