Why cyberattacks mustn’t be kept secret
No company is immune to cyberattacks, but when the inevitable happens, too many companies still try to maintain a wall of silence. In fact, over half of security professionals admit their organizations maintain a culture of security through obscurity, with over one-third admitting they are completely secretive about their cybersecurity activities.
While many organizations may fear reputational or monetary damage from proactively sharing findings from vulnerabilities and incidents, I’ve found the contrary to be true: Embracing a culture of cybersecurity transparency is good for business and for the broader security of the internet.
The benefits of cyber transparency
For individual organizations, transparency and accountability can be a significant differentiator that dictates conversations with customers, the C-Suite, the media, and other key stakeholders.
Clear visibility into a company’s vulnerability management, disclosures, and reporting procedures communicates a thorough understanding and grasp of security processes and that the organization knows what’s required to keep the infrastructure intact. Instead of eroding trust, cybersecurity practices strengthen an organization’s external perception.
When a breach does happen, organizations that embrace transparency have clear internal procedures and external reporting best practices in place to help them react quicker and with more resilience.
Organizations that practice transparency in the face of an incident also strengthen the collective security of their entire industry. This is because transparency encourages communication and collaboration between organizations: both vital activities for addressing common cybersecurity gaps plaguing broader industries. These leading organizations can reduce the reoccurrence of cyberattacks in other organizations.
It’s time to reveal cyber skeletons in the closet
Despite these benefits, very few organizations are willing to own up to cybersecurity challenges proactively.
For many businesses, the instinctive reaction when experiencing a cyberattack is to keep quiet and minimize the incident. This is fueled by the fear that revealing insecurity breaks trust with customers — and fear of the reputational and monetary damage from that break in trust. Yet, companies that fail to share information about cyberattacks (or, worse, intentionally conceal information) are proven to damage their reputations.
With such high stakes, this is a challenge we cannot continue to ignore, and regulators are awakening to this fact. Globally, there is a lack of uniform and enforceable regulations regarding vulnerability and incident disclosure. If businesses try to sweep attacks under the carpet, they can sometimes get away with it. Legislative bodies, like the U.S. Securities and Exchange Commission (SEC) and the European Parliament, are pushing to rectify this with new rules and guidelines. The SEC’s new rules will require companies to disclose a cybersecurity incident publicly within four days of its discovery. Similarly, the European Parliament’s Cyber Resilience Act (CRA) is also seeking to impose a series of new reporting obligations.
This legislation is designed to discourage security through obscurity culture and enforce a more collaborative approach to cybersecurity. Silence and secrecy simply aren’t viable tactics in the modern business world, where cyberattacks are increasing in impact and scale.
Trust starts with transparency
Fortunately, this regulatory momentum and trends among leading organizations suggest this culture of obscurity is starting to change. The most progressive organizations have started to view cybersecurity disclosure differently in recent years. The reality of threats taking down mission-critical services, such as hospitals and energy infrastructure, has led to calls for much more collaboration and openness throughout the industry.
Sharing knowledge and experience is a powerful tool. Reporting attacks, disclosing vulnerabilities, and leveraging ethical hacking help organizations keep themselves and others more secure in the long run. For maximum effectiveness, there are several best practices to keep in mind:
Refrain from finger-pointing
When vulnerabilities are discovered, many organizations quickly start looking for someone to blame. Instead, discoveries like this should be seen as an opportunity. Internal teams can be educated to build up an organization’s resilience and posture. Doing so builds a culture focused on openness, collaboration, and growth that strengthens the people, processes, and technology used to build more robust cybersecurity defenses overall.
Put developers at the heart of security
Developer-first security makes developers the customers of the security team. Developers are responsible for writing secure code, and security teams provide them with the tools and resources they need to do their jobs securely. This means tools, training, and a security culture that has the developer at the heart of everything.
Take advantage of the entire cybersecurity ecosystem
Innovative technology like automation and machine learning is central to modern security. However, such solutions aren’t without limitations and can still miss key vulnerabilities. Ethical hackers are limited by only their imagination, making them a great foil to technology-based solutions. By using both together, organizations can ensure there aren’t gaps in their attack surface and continuously identify even the most elusive vulnerabilities.
Join The Corporate Security Responsibility Pledge
For the ultimate commitment to cybersecurity best practices, enterprises can adopt The Corporate Security Responsibility Pledge. The pledge is based on four core principles: transparency, collaboration, innovation, and differentiation. By adopting these principles, organizations can ensure they are continuously meeting leading best practices in key areas and driving the industry standard forward when it comes to reducing cybersecurity risk for themselves and the wider digital world.
For far too long, cybersecurity has been built around secrecy. Just because an organization believes bad actors won’t be able to penetrate them if they don’t know what defenses they have in place or that they have been targeted before, this isn’t the case. And businesses are increasingly realizing that this approach just isn’t fit for purpose in the modern digital landscape.
The strongest security cultures are built on collaboration and transparency, sharing key information and experiences with others in a way that makes everyone stronger. The idea that “together we are strong” has never been more applicable, so don’t work in isolation.