3 unintended consequences of well-intentioned cyber regulations
Insurers will have to balance innovation, risk reduction and regulation.
Cyberthreats have surged exponentially, significantly outpacing the ability of organizations to prevent or respond to them effectively. That’s why policymakers worldwide are stepping up efforts to create cyber regulations that can help mitigate and boost society’s resilience against these threats and assert control over how some technological innovations are used.
As these legislative changes take hold, it will become apparent that they are not just removing dangers but are forcing evolutions that risk redirecting the threats and burdening organizations with a raft of hard-to-meet demands that may continue to leave them open to attack and disruption. The Information Security Forum (ISF) predicts that by 2024, global organizations will face some unintended consequences of cyber regulations, no matter how well-intentioned they might be:
Threat 1: Ransomware evolves into triple extortion
The world has witnessed a dramatic rise in ransomware-based cyber-attacks. This has caused nations to come together and initiate worldwide crackdowns on ransomware gangs. However, ISF believes that the political, diplomatic, and legal actions against ransomware actors and the underground financial systems that support them will force criminals to evolve their tactics. Ransomware gangs might initially suffer some inconvenience, but they will adapt to any new restrictions, launching attacks that will be more damaging and far-reaching.
There’s ample evidence that proves this. Every time ransomware attackers hit a roadblock or find victims who don’t comply, they simply up their game. Earlier versions of ransomware were one-dimensional; they focused on encrypting data and demanding a ransom in exchange for the decryption key. Newer forms of ransomware attacks have added another layer to the process; they exfiltrate data before activating the encryption routine. Attackers then threaten the victim with this stolen data and apply double pressure to pay up or face having data access denied and sold or published. Ransomware attacks are evolving and becoming multi-layered (or tripled); criminals not only encrypt and exfiltrate data but also demand a ransom from the victim’s network partners, customers and suppliers.
Threat 2: Regulators inhibit data-driven innovation
According to some estimates, 2.5 quintillion bytes of data are created daily. More and more enterprises are turning to Artificial Intelligence (AI) to derive insights from this vast and complex ocean to make sense of it all. As more and more businesses embed AI into their products, services, processes and decision-making, AI is increasingly coming under more scrutiny from regulators. This is due to obvious reasons, of course. AI isn’t infallible. Like people, AI can be subject to manipulation, can institutionalize bias, and can make unfair or even unsafe decisions. Policymakers are certainly moving in the right direction, helping to develop AI solutions that consumers can trust.
On the flip side, organizations that are keen on using AI-based algorithms to run their business are forced to delay applications as regulators demand that these tools be approved for use before they’re deployed. Organizations are also at risk of being stuck in a developmental spiral as they make sure algorithms don’t fall foul of ambiguous legal demands and that they operate fairly. AI regulations can be a huge administrative and expensive burden for smaller players, and this can impede innovators from innovating and competing with larger, more established businesses.
Threat 3: Attackers undermine central cryptocurrencies
Consumers, organizations, and governments are discovering new applications for cryptocurrency. Especially in the financial services sector, more and more banks have announced plans to adopt cryptocurrency. When this happens, cybercriminals will certainly aim to cash in on bank crypto cash schemes. Additionally, the gradual adoption of digital cash will undoubtedly test the security arrangements of many organizations as they seek to accommodate various payment schemes. Organizations that fail to implement appropriate controls around processing these crypto payments will be subject to major financial, reputational and existential risks.
How organizations can protect themselves
- Organizations that do not regularly evaluate their ability to detect and respond to extortion attacks like ransomware should consider a strategic approach to managing such an enduring threat to their business. A re-evaluation of what business-critical data assets exist in the organization and where they reside will further support this objective. The board of directors should have an in-depth understanding of this ongoing threat so it’s not caught by surprise if and when it happens. Now is also a good time to understand your level of maturity of defenses versus the threat, and risk-assess any gaps.
- Organizations should look at discovering which AI algorithms are in use, how they were developed, and look for ways to assure the integrity of their data sources. They must consistently review the regulatory landscape to determine which laws and regulations apply, as well as review their internal governance structures and policies to understand if they’re adequately covering those frameworks. Develop a plan to improve the governance of algorithms by creating a process to measure outcomes and expose potential bias on an ongoing basis.
- Since crypto is still quite new and complex, companies need to identify or perhaps recruit subject matter experts in cryptocurrencies and assess the organization’s readiness for their secure adoption. Organizations must audit their financial systems to expose weaknesses and gauge operational readiness for cryptocurrency commerce. Finally, they need to make sure security operations are familiar with proposed changes.
Striking the right balance between innovation, risk reduction and regulation is not an easy feat. Companies that successfully walk this tightrope will not only have a clear competitive advantage but also propel themselves to be on a path to becoming market-leading enterprises.
Steve Durbin is chief executive of the Information Security Forum, an independent, not-for-profit association dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best practice methodologies, processes, and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000. Find out more at www.securityforum.org.
Related