Sharing cybersecurity information could either help or hurt hackers attempts.
No one likes promoting the fact that they’ve made a mistake – including corporate executives. Aside from revenue, the success of most businesses relies heavily on their reputation, brand image and customer loyalty. And these are all at stake when a security breach occurs.
When a disruption impacts the critical infrastructure of an organization, compromising the personal privacy of customers and protection of sensitive data and information, it can have damaging effects, from loss of business to class action lawsuits. So it’s understandable why companies wouldn’t want to be forced to publicly disclose when they’ve been victims of a cybersecurity attack.
But should they be? This question was recently explored by The Wall Street Journal, with one article featuring Denise Zheng’s stance on why businesses should be required to report a cyber attack and another by Andrea Castillo arguing why they shouldn’t.
The advantage of increased IT security transparency
One of the main points fueling the idea of making it mandatory for companies to release cybersecurity disruptions is that it would increase the level of transparency and insight among organizations and, ultimately, give people more information to work with in creating a stronger defense system against hackers and cybercriminals.
“Some argue that the more cybersecurity information that’s available, the better.”
As Zheng pointed out, the rate of security breaches and hacks is on the rise yet, running in tandem with this growth, is the level of secrecy businesses are demonstrating in handling them. She also argued that there are currently no government regulations or policies in place that adequately ensure cyber safety or computer protection and the ones that do touch on the subject are vague and open for interpretation. Many of the reports and statements released regarding cyber attacks have also been broad and generalized – which makes it quite difficult to hone in on specific strategies and solutions. Furthermore, Zheng suggested that by making it a requirement for businesses to disclose and share cybersecurity information, it would lead to better, more informed decision making.
One possibility is to limit the mandatory reporting policy to attacks that threaten national security and public health or safety. Of course, if government agencies did enforce a blanket law, careful steps would have to be taken to ensure the information wasn’t accessible to hackers, thus creating an opposite effect of the intended goal. And this is one of the reasons some people are against the idea.
The problem with sharing cybersecurity information
Andrea Castillo did not share Zheng’s sentiment about companies sharing cybersecurity information being beneficial to strengthening risk mitigation management. Not only could it damage the reputation of a company, it could also potentially ruin the safety and effectiveness that would otherwise be present if solutions were privately developed, Castillo argued.
“Would increasing cybersecurity transparency lead to better protection or more risks?”
In addition, she insisted that lowering the barriers of visibility could increase the vulnerability of an organization, since heightened transparency and insight is what makes networks and computer systems susceptible to attacks in the first place. Where those in favor of mandatory reporting feel that, essentially, the more information organizations have, the better off they’ll be with cybersecurity, Castillo said the more parties involved the more unnecessarily complicated it makes things. She also made the point that the government should not be given any more leverage or control in cybersecurity since it has not demonstrated a proficiency in this area.
How collaboration can be used to improve cybersecurity
Whether or not the U.S. government will take measures that will make it a requirement for businesses to share information on cyber attacks and security breaches still remains unclear. However, what is certain at this point is that companies need to focus on developing better strategies for computer and IT protection. And one of the ways to do this does involve better collaboration between parties, even if it is simply within the organization.
Research has found that one of the biggest issues surrounding the rise in cybersecurity attacks today is that not enough C-suite executives have an understanding of the topic, let alone the skills and insight needed to effectively combat against them. This is why it is highly recommended that more companies prioritize cybersecurity education and training and work on creating a more cohesive and integrated process throughout divisions and departments of the organization. For example, giving IT professionals a seat in the boardroom can help ensure that when important decisions are being made, they involve the input and perspective of those most knowledgeable in how the cybersecurity of the infrastructure will be affected by any changes.
Regardless of whether a business is interested in collaborating with other organizations to accelerate and possibly improve cyber safety, it is imperative that they are taking the necessary steps in creating a more educated, experienced and prepared team internally. At The National Cybersecurity Institute, we offer training courses and programs designed specifically for this purpose. Business professionals at all levels can enroll in one of our classes, such as the (ISC)2 Certified Information Systems Security Professional (CISSP), that provide the necessary preparation for passing cybersecurity and IT certification exams.