Issue price – Newspaper Kommersant No. 234 (7435) dated 12/16/2022
[ad_1]
In 2022, Russia recorded a record number of data leaks of Russian users. Our observations show that in the third quarter alone, in more than every second attack (53%), organizations encountered precisely the leakage of confidential information. In the summer, databases of 75 domestic companies were discovered on the Internet. At the same time, we must not forget that many data were already on the Internet and without leaks. For example, a user indicates a patronymic and a phone number on a social network, agrees to receive advertising mailings when buying goods, purchasing services, etc. Therefore, it is incredibly difficult to calculate the real damage.
Most often, such leaks do not occur due to non-compliance with cybersecurity rules, but due to external attacks. Many organizations noted attacks from abroad. They have happened before, but primarily for financial reasons, this year it is more about politics, increased anxiety among the population and loss of business reputation of companies.
Most often, it is not the companies themselves that are guilty of leaks, but so-called external factors. Nevertheless, these incidents led regulators to think about the need to make changes to the legislation, one of which is a turnover penalty for the leakage of personal data. And according to the bill under discussion, companies will be held liable for the very fact of a leak, and not for failure to comply with cybersecurity practices.
There are no sanctions for anyone else, although situations may be different. For example, when a file with data from a leak appears somewhere on hosting sites, the regulator needs to be actively involved in order to block the domain. Because ordinary companies do not have the authority to divide domains.
Unfortunately, there have been and will be leaks, the bases are collected in a consolidated manner from different sources. And even more so in such a situation, it is incorrect to say that the damage occurs precisely because of the leakage of a particular company. When something leaks from one player, it is a shadow on the industry as a whole.
The turnover penalties discussed now lead to a dramatic increase in costs for organizations, but not to an increase in efficiency, protection against leaks. Ultimately, they do not help users or protect them from losing sensitive information. Still, the legislation should have a different goal – not to punish data leakage, but to increase the level of their security and reduce the number of incidents.
Meanwhile, the introduction of a turnover fine may become another strong financial motivation for hackers – companies will be willing to pay for concealing the fact of hacking, just not to receive a huge fine that will slow down investment in business development, including information protection.
It would be more efficient to use this money not for fines, but for really important projects to improve security, undergo regular audits, cyber exercises, and so on. Those who did their best to protect themselves, but still faced the fact of a leak, should not bear the same responsibility as those who did not invest in security.
In addition, many companies have bug bounty programs that allow you to reward ethical hackers who find problems in services and direct their resources not to selling data and vulnerabilities, but to ultimately strengthening user security. Large turnover fines can be, but only for those who are really negligent about security.
[ad_2]
Source link
