Ignorance is the most commonly blamed factor in large-scale cyberattacks, but it’s worth remembering that there are at least two types of ignorance, one being the lack of threat sharing.
It’s true that many employees – especially in the public sector – remain ill-informed when it comes to data security. However, even the best-prepared business can fall victim to malware if they are not made aware of threats as they occur. Even if your company has excellent data protection protocols in place, zero-day exploits remain a huge problem.
This issue is made worse by the fact that companies have a vested interest in not reporting the vulnerabilities in their systems. Publicly announcing a specific security hole is an invitation for cyber criminals to take advantage of it and can also cause significant reputational damage.
In this article, we’ll look at why threat sharing is still so rare, and then point out why this needs to change.
Ransomware: A Threat for Everyone
There is a pretty good reason why many companies and government agencies don’t share information on successful attacks: they are instructed not to by their attackers.
The rise of ransomware, particularly targeted at public institutions, has been one of the major stories of recent years. Just this year, in fact, we have seen two huge ransomware attacks – an infection in Baltimore in May that cost the city $18 million, and in August, there was an attack of 23 Texas cities and government agencies. The proliferation of wireless data acquisition devices alongside the widespread use of public wifi networks has only made matters worse.
We know about these attacks because of governmental guidelines on transparency. If they had affected private companies, it’s unlikely they would have ever been made public knowledge.
In both of the above cases, the attacker specifically warned that if the attack was made public, the victims would never get their data back.
That’s why, despite the FBI recommending that companies never pay ransoms to cyber criminals, plenty of them do. In fact, a recent study of ransomware attacks found that 17% state and local governments that are attacked end up paying the ransom.
Becoming the victim of a ransomware attack can be both scary and lonely. Many companies fear that, in sharing information about these attacks even after they have been defeated, they open themselves up to further attacks. This is an understandable response, but it needs to change.
The Importance of Sharing Threat Experiences
In business, there is always a tendency to view your peers as competitors. That can be useful – after all, you are in competition with them – but when it comes to cybersecurity, it can have some unfortunate consequences.
If companies do not share their experiences of cyberattacks, they leave the rest of their sector open to attack. Not only are cyber criminals able to perform essentially the same attack on many companies in turn, but each company has to learn to respond to different threats on its own. This system hurts the profitability of sectors as a whole and is hugely inefficient.
In addition, even large companies cannot typically retain a knowledge base that is sufficient to protect all of the systems they use. If you employ systems from many different vendors in deeply interconnected ways, you cannot be expected to know everything about each part. This is one of the reasons why complex networks are getting harder to secure, but it also points to the importance of threat sharing.
The easiest way to share your experiences of cyberattacks is to use one of the many systems available for this. There are many Information Sharing and Analysis Organizations (ISAO) which cover individual sectors and allow both companies and state agencies to pool their resources.
Other useful tools when it comes to information exchange are industry events and symposia. Whichever sector you are in, you probably send employees to trade shows, but perhaps you haven’t considered the advantages of these when it comes to cybersecurity. These events can promote knowledge sharing and exchange, and be the first step toward your industry, building a united front against cyber criminals.
Vulnerability vs. Sharing: The Fine Balance
All this said, there is a balance to be struck between protecting your own security and ensuring the resilience of your sector.
You should not, for instance, immediately publicize every minor attack that you experience. Not only does this undermine trust in your business, but it also represents a security threat in itself. According to a recent analysis published by Gary Stevens, CISO at HostingCanada.org, “you wouldn’t want your web host to announce every security hole in their operation immediately: doing that is an invitation for cyber criminals to take advantage of them.”
Because of this, your first priority during a cyberattack should be to avoid damage to your organization. Then, you can address the vulnerability that led to the attack. Then, and only then, should you share your experience.
Sharing your experience need not just be of benefit to your competitors. In fact, if you build threat sharing into broader threat detection and avoidance systems, a post-mortem analysis of what went wrong can be a powerful learning experience for your own employees. Sharing this analysis with your peers not only protects them but also cements your reputation as a leader when it comes to security.
It may well be that, once your competitors see how well you’ve responded to malware attacks, they seek to consult your company on these issues. This can be a lucrative source of extra income and turn a potentially disastrous attack into a business opportunity.
The Bottom Line
Cybersecurity, contrary to popular belief, is often not about avoiding attacks. Rather, the best organizations are those that recognize that it is inevitable to become the victim of an attack one day and are proactive in planning for this.
This can involve sharing compliance processes with other companies in your sector, or merely staying on top of your threat profile by checking for recent cyberattacks. Ultimately, your goal should be to turn every cybersecurity incident into an opportunity to improve your resilience through threat sharing.
Everyone benefits when you can share this knowledge with the wider community.
About the Author
Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with an emphasis on technology trends in cyber warfare, cyber defense, and cryptography.
Disclaimer: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of EC-Council.