Are organizations reporting cyberattacks more?
Across a few articles since the pandemic has erupted across the world, I’ve noted how cyberattacks have been on the rise. Reporting these attacks in a prompt manner is not only important in reassuring consumers whose data may have been compromised but given the connectivity of supply chains, it’s also important to notify partners whose systems might also have been compromised.
PwC’s Threat Intelligence team recently said that attackers have been setting up ‘leak sites’ to post stolen data onto, with over 150 organizations reporting that their compromised data had ended up on such websites during the pandemic.
“There’s been a rise in the number of public high-profile cybersecurity incidents, with the majority being ransomware attacks involving exfiltrated data being leaked,” says Kris McConkey, Cyber Threat Operations Lead Partner at PwC. “In most such cases, initial access to networks is typically established well before the attacks are made public or identified by the victim organization.”
Why sharing information matters
The battle against cyberattacks is undoubtedly a complex one, with successful defense relying on effective responses to what is often a rapidly changing threat landscape. Any form of data gap can exacerbate these risks, and make the defense that much harder. After all, it’s highly likely that if an attack is successful against one organization, that the same tactics and methods will be used to attack a second, and a third organization.
By sharing data about attacks when they happen, it helps other organizations prepare themselves and ensure that similar vulnerabilities don’t exist in their own systems. Of course, such a practice would also alert your own cybersecurity teams to breaches elsewhere so that they get early warnings of potential threats. It becomes a virtuous cycle as organizations become better equipped to rapidly respond to the current threat landscape.
Such ready sharing of information also helps regulators and law enforcement agencies successfully manage their response to attacks, whether in terms of trying to locate the criminals or updating guidance and regulations to make systems more robust in the future.
Sharing the right information
An obvious first step when you begin to share information about cyberattacks is understanding what information to share. This process begins by understanding what information you want to capture in the first place. In order for the collective to be wiser after you share information, it’s good practice to use a standard taxonomy so that it becomes easier to track and trace each attack. This taxonomy should include things such as the type of incident, when it occurred, when it was detected, the scale and type of impact, and the method used.
Once the precise information to be shared is determined, it’s vital that organizations overcome any fears or stigma associated with any cyberattack. It’s enormously tempting to try and keep any breaches in-house to avoid any embarrassment or loss of confidence among consumers. Indeed, there is a temptation to believe that highlighting any successful attacks might merely invite other attackers to try their luck.
These are all valid fears, and succumbing to them will severely limit the amount of data that’s shared, so the best approach is to ensure anonymity whenever firms report cyber attacks. While doing this, however, it’s equally important to ensure that the data shared includes various characteristics of the firm, such as the industry it operates in, its size and geographic spread. This will help similar organizations understand the risk they face and allow them to respond accordingly.
As information about attacks begins to mount, this information also provides us with a detailed picture of the cybersecurity landscape, and we will begin to grasp whether particular nations, industries, or organization types are being affected, whilst also allowing firms to benchmark themselves against their peers.
There’s a clear desire among regulators for companies to quickly and thoroughly disclose any cyber breaches they suffer, but the regulators themselves are not really sharing this information more widely, such that the economy can become wiser and more protected from subsequent attacks. Indeed, often, no data is shared with the wider economy at all.
For instance, the Securities and Exchange Commission in the US mandates that companies disclose their cyber risk exposure, but the information they require is fairly limited, and nowhere near as rich or as valuable as highlighted above. This results in many organizations providing boilerplate style statements that fulfill their legal obligations but provide little of real value.
Worryingly, there seem to be few, if any, changes to this situation, and therefore there is little incentive for organizations to declare any attacks publicly, as they would be largely operating in isolation were they to do so. A good example of what can be achieved can be found in Israel, where the Cyber Net platform provides organizations with an opportunity to anonymously share much of the information outlined above, whilst also providing cybersecurity teams with a live dashboard on the kind of threats they themselves must guard against. The platform, which is operated by the National Computer Emergency Response Team has strong government support, so usage is high. As well as being anonymous, the platform pledges not to share data with any other government agency, which helps to provide sufficient confidence to motivate participation.
Such sharing of information is vital if industry is to successfully tackle the evolving cyber threats we face, and it seems increasingly sensible for such sharing to be done on an international, rather than national, scale. Alas, we’re some way from such disclosure being the norm, but Cyber Net does at least show what can be achieved.