Cybersecurity is quickly becoming one of the world’s biggest concerns. With credit card fraud and identity theft rising steadily, companies of all sizes are protecting their consumers with the addition of encryption and EMV technology, but individuals are far from the only ones being targeted by hackers.
American businesses were hit hard in 2016, with Yahoo experiencing one of the biggest data breaches in history and the headline-making DNC hack that is suspected of having international origins. From politics and technology to healthcare providers and food suppliers, industries across the board are increasingly subject to cyber attacks.
The EU Cracks Down on Hacking
In response to increasingly widespread incidents of hacking, the EU took its first step towards legislating cybersecurity in March 2014. The resulting law, known as The Network and Information Security (NIS) Directive, passed in January of 2016 and will be implemented by 2018.
Known as a bastion of user privacy, the EU is lagging behind the U.S. when it comes to network security. Last year alone the European Commission was attacked 110 separate times, which amounted to a 20% increase from the year before. Additionally, many EU members, including German Chancellor Angela Merkel and Jean-Yves Le Drian, the French defense minister, are increasingly worried about potential Russian interference in their own upcoming elections.
The NIS directive is designed to bring the cybersecurity capabilities of all EU member countries up to the same level of development. The law is also designed to foster cooperation and information flow between member countries and to put security requirements in place for all essential services. Companies offering essential services — energy, transportation, banking, financial market infrastructures, drinking water supply and distribution, digital infrastructure and healthcare — will be required to notify the proper authorities regarding breaches of their cyber networks and to combat these attacks as quickly and efficiently as possible.
Companies outside the scope of the NIS Directive will also be compelled to report any attacks on their networks, especially ones that could have a “significant disruptive effect,” which is determined by a number of variables, including size, scope and the area of affected consumers. These companies, however, will not be subject to any of the other obligations the directive implements.
Unfortunately, many companies aren’t happy about this new directive, as companies that have publicized their security breaches have seen their share prices and customer base dwindle. To combat underreporting, the directive has implemented a fine of 4% of a company’s global annual revenue for any breaches that go unreported.
Additionally, many companies are struggling with the financial cost of implementing proper cybersecurity. As of January 2017, as many as two-thirds of UK companies alone have admitted that they are not yet ready to comply with the NIS directive. Now that the UK has elected to leave the EU, it is unclear if Great Britain will adopt a similar law in the future.
U.S. Laws Curb Hacking Threats
In the U.S., the robust Cybersecurity Information Sharing Act has been in place since 2015. Though CISA is different from the NIS directive, the goals remain the same: reporting cybersecurity incidents and providing the proper authorities with information to help combat the situation. When incidences of cyber security attacks are reported in the U.S., they are reviewed by two separate entities: the Department of Homeland Security and the United States Computer Emergency Readiness Team (US-CERT). As of April 1, 2017, new guidelines of incident notifications go into effect.
Similarly to the NIS directive, CISA only requires agencies of the federal executive branch to report their incidences, giving private sector companies the opportunity to handle their security incidents themselves. Agencies who choose to notify the government about security breaches are not protected by CISA the way that government agencies are, which can cause hesitation from private entities to share information regarding their security incidents.
Need Security Support?
Despite the measures being taken, cybersecurity is still a huge global concern. While directives are being put into place to combat attacks, there is still a long way to go before true cybersecurity is in effect. In the meantime, Bluefin wants to help you secure your networks and keep your company safe. Contact us for information on payment security solutions, including PCI-validated Point-to-Point Encryption (P2PE), EMV, Tokenization, Transparent Redirect, and iFrame for Ecommerce.