Cyber Attacks Are Rising, New Cyber Security Legislation

Cyber Attacks Rising

The latest statistics from the Federal Bureau of Investigation (FBI) demonstrate that no industry is exempt from cyber attacks which are increasing in frequency and impact. Per the FBI, Business Email Compromise (BEC) attacks surpassed $43 billion globally and are rising.

These losses, which the FBI calls “exposed losses,” include both actual and attempted losses reported between June 2016 and December 2021. The FBI noted an increase of 65 percent during that time and it was most likely spurred by the COVID-19 pandemic which forced many individuals to shift to virtual work from remote environments that are typically less secure than their corporate network.

Ransomware attacks continue to be a significant problem as well. Ransoms are increasing and data is no longer merely encrypted and held for ransom. Recent research has shown that roughly 40 percent of all newly discovered ransomware includes data exfiltration as part of the attack process.

The exfiltrated (stolen) data is “dumped” on “shame” sites where hackers post names of corporate ransomware victims along with samples of stolen information to increase the likelihood the victim will pay a ransom. This is known as “Double Extortion”. In some cases, the hackers will demand ransoms from individuals whose data was among those stolen, which is known as the “Triple Extortion” ransomware threat.

What Is the Strengthening American Cybersecurity Act?

The Strengthening American Cybersecurity Act (S. 3600) was signed into law by President Biden earlier this year to help combat these and other cybersecurity related issues.

Key points of the new law include:

  • It only applies to particular companies that it calls covered entities. The rules for what is considered a covered entity are still being finalized, but, in general, it applies to companies that are part of the U.S. critical infrastructure (finance, transportation, energy and other sectors).
  • Covered entities are required to report cyberattacks to the federal government within 72 hours of the incident’s start — or within 24 hours if a ransom has been paid.
  • Covered entities must also preserve all data related to any cyber incident or ransom payment and provide the Cybersecurity and Infrastructure Security Agency (CISA) with updates on incidents until they are fully resolved.
  • CISA, a division of the Department of Homeland Security (DHS), will be at the helm of the federal government’s response to major cyber incidents within four years.
  • Specific guidelines for which companies are covered entities, what data must be preserved and other details related to this law are still being defined — a process called rulemaking that may take as long as two years.

If your company is likely to be considered a public entity, you should monitor the rulemaking process and take steps now to prepare for the new disclosure obligations and the potential for overlapping obligations.

Whether or not your company is considered a covered entity, you should take the opportunity to revisit your cybersecurity posture including your tools, policies, procedures and programs. Regulations will likely expand to other industries, when the cyber security landscape changes for one industry, it often bleeds into others sooner or later.

Additionally, cyber insurance providers are becoming much more stringent in regards to whom they will insure and what security measures they demand. For those businesses who can get insurance, premiums are rising rapidly, and this is especially true if your cybersecurity posture is weak, which is yet another reason to act now.

You can find some great insight on the current state of the cyber insurance market in this recent article from The Wall Street Journal, “Buying Cyber Insurance Gets Trickier as Attacks Proliferate, Costs Rise.”

Two More Cybersecurity Bills Passed in June

In June 2022, two bipartisan cybersecurity bills were signed into law by President Biden: the Federal Rotational Cyber Workforce Program Act of 2021, and the State and Local Government Cybersecurity Act of 2021.

Together these bills intend to:

  • Improve collaboration between DHS and state, local, tribal and territorial governments.
  • Require the National Cybersecurity and Communications Integration Center (NCCIC) to coordinate with the Multi-State Information Sharing and Analysis Center (MS-ISAC) to aid state, local, tribal and territorial government entities with cybersecurity exercises, training, and education and awareness.
  • Provide a rotating workforce for cyber security efforts across federal agencies.

What It Means for Your Business

While governments try to shore up cybersecurity regulation and provide support and guidance, protecting your business still falls squarely in your court. Our certified experts have been helping businesses understand and defend against the myriad cyber threats being thrown at them since 1992.

Here are some free resources to help your improve your cybersecurity posture:

You can also contact us or book a meeting to discuss your IT and security needs today. We’re here and ready to help.

Posted in
Dave Hatter

Dave Hatter

Dave Hatter (CISSP, CCSP, CCSLP, Security+, Network+) is a cyber security consultant, writer, educator and on-air media contributor. See hundreds of Dave’s expert interviews on cyber security on his YouTube channel, or tune in to 55KRC every Friday morning at 6:30 for his “Tech Friday” segment.

Share this Blog

Get This Free Resource to Protect Your Business

Checklist: "14 Non-Technical Things You Can Do Today to Protect Your Business from Cyber Crime"

Trending Now: Read More From Intrust IT

2022 Inc. 5000's List

Intrust IT on 2022 Inc. 5000’s List of Fastest Growing Companies

By Tim Rettig | August 18, 2022

CINCINNATI – Intrust IT, a cyber security and IT support company, has been named on the 2022 Inc. 5000’s prestigious annual list of fastest growing companies. For the fourth time, Intrust has ranked among America’s most successful and rapidly growing private businesses. Since its establishment in 1992, the IT company has been putting the “service”…

Microsoft Office Auditing Case Study

How One Client Saved 28K with Microsoft Office 365 Auditing

By Intrust Man | June 16, 2022

We saved one client over $28,000 per year on Microsoft Office 365 licenses through our Office 365 auditing process.  Here at Intrust, almost all of our clients use Microsoft Office 365 licensing for some combination of email hosting, Office software, and Dynamics CRM. Sometimes clients who had Microsoft 365 prior to their relationship with Intrust…

Managed Microsoft 365 featured image

Managed Microsoft 365: 9 Benefits of Managed IT Services

By Tim Rettig | June 16, 2022

If you are using or considering Microsoft 365 for your business? Consider this: Managed Microsoft 365 is even better. Managed 365 means that a managed service provider (MSP) correctly configures, optimizes and provides ongoing support for your Microsoft 365 installation. Here are nine reasons why your company should partner with an MSP for your Microsoft…