Cyberattacks are a fact of life these days, so why do so many organizations keep quiet about incidents? Research indicates that over half of security professionals say their organization approaches cybersecurity with a culture of obscurity, with a third not sharing anything about their cybersecurity practices.
It seems that business leaders avoid revealing security issues because they believe confessing to incidents leads to a loss in customer confidence. Many brands are still driven by the misconception that financial loss and brand damage are inevitable consequences of any publicity about security and data protection concerns.
While it may seem contradictory, cybersecurity transparency has been shown to be better for business than concealing security weaknesses. Organizations that are open about cyberattacks, disclose vulnerabilities, and share how they’ve handled an incident can strengthen trust with their customers and the public. In contrast, those who don’t share information are likely to suffer more serious reputational harm and unwanted scrutiny from regulators when details come to light.
Take the recent revelations at Sellafield, where it is alleged that security transgressions dating back as far as 2015 were not reported to the Office for Nuclear Regulation for several years. Instead of dealing with the related problems, senior leaders are accused of deliberately concealing them from officials tasked with testing for security vulnerabilities, leaving the UK’s critical infrastructure at greater risk of attack. The repercussions could result in the prosecution of those responsible and has damaged the public’s trust in those running Sellafield.
Security Architect at HackerOne.
The case for transparency
Regulators worldwide have recognized this lack of transparency and are tightening legislation to improve the disclosure of security incidents. New rules from the U.S. Securities and Exchange Commission (SEC) require companies to disclose a material cybersecurity incident publicly within four days of its discovery. The European Parliament’s Cyber Resilience Act (CRA) is also seeking to impose further reporting obligations regarding exploited vulnerabilities and incidents.
These tougher obligations will force more transparency, although forward-thinking organizations are already championing the benefits of disclosure for the wider community. Supporting the argument for openness stems from a genuine fear of cyberattacks taking out the UK’s mission-critical infrastructure, such as energy, communications, and hospitals. But there’s added value to be gained, as visibility and accountability can be positive differentiators for businesses. Clear disclosure and reporting procedures demonstrate that an organization understands what’s required to maintain operational resilience when under attack. If a breach does occur, they are primed to react quickly and effectively and communicate accordingly with regulators, customers, the media, and other stakeholders.
Transparency in the midst of an incident also benefits the collective defenses of all enterprises. It alerts security teams to emerging threats instead of perpetuating a culture of secrecy that leaves others susceptible to copycat attacks.
Resilience through collaboration
An important part of initiating a culture change should be assessing whether there is a security skills shortage and an overreliance on technology. While automated and AI-driven tools should be an integral part of security, human intellect is still vital to detect hidden vulnerabilities and unearth sophisticated attacks. The global ethical hacker community can help supplement internal resources, whatever size or industry, by providing immediate access to a vast pool of security researchers with an extensive range of expertise. By combining internal and external knowledge with advanced security tools, organizations can put themselves in a strong position to identify serious vulnerabilities before they are exploited.
However, changing a long-held habit of obscurity often starts with a decision to lose the blame culture internally. Under-resourced and stressed employees can unintentionally help perpetuate the smoke-and-mirrors approach to security. Creating a positive environment encourages staff to raise concerns and highlight mistakes without the fear of rebuke. What might once have been problems to sweep under the carpet can now be seen as opportunities to improve processes and training, as well as identify security gaps.
In addition, secure coding practices from the outset will contribute to more robust cybersecurity as well as improve development productivity. However, it depends on development teams having the right training and tools to do their jobs effectively. Cultivating a collaborative environment where security and development are working together can eliminate friction between the teams.
Shifting transparency paradigms
Striking a balance between protecting sensitive data and sharing information publicly is crucial in helping organizations to defeat cyberattacks. Without collaboration and transparency, malicious actors will always have the advantage of reusing the same tactics until disclosed by a victim or ethical hacker. A better option would be early disclosure to galvanize industry-wide collaboration and speed up the delivery of preventive measures.
A long overdue shift towards a transparent cybersecurity culture is essential for strengthening overall resilience and establishing a united front against cybercrime. Leading organisations are going one step further by committing to best practices. One example is The Corporate Security Responsibility Pledge, which commits pledge signatories to follow accepted cybersecurity best practices in areas of cybersecurity transparency, industry collaboration, cybersecurity innovation, and differentiation. By adhering to the pledge, followers improve their own risk profile as well as make the digital landscape safer for everyone.
We've featured the best business VPN.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
