The secrecy and shame associated with cyber incidents needs to be rethought, believes PublicTechnology editor Sam Trendall
Credit: Adobe Stock
It would seem a little harsh to question whether a business that had recently been the victim of an armed robbery had also incurred ‘reputational damage’ as a result of the incident.
And yet, when businesses or public bodies are hit by cyber assaults, this is often one of the first considerations of the organisation in question, as well as onlookers in media and the wider tech sector.
The accepted wisdom that suffering a cyberattack will harm public perception can result in a culture of secrecy and shame. The first instinct for many organisations is to downplay – or, better still, conceal from public view – any breaches.
Studies have repeatedly found that well over half of firms hit by ransomware attacks end up paying their attacker; many do so without the incident ever coming to light. For most, the payment may be thousands – or, at most, tens of thousands of pounds.
But, in the last year alone, there have been three cases in which ransom payments of more than $4m have been made in light of a cyberattack.
The largest of these, $4.5m (£3.2m), was paid out last summer by business travel specialist CWT Global. This has been followed in 2021 by $4.4m ransoms being paid by both the US Colonial Pipeline oil firm, and German chemical distributor Brenntag.
When asked, the vast majority of businesses and public sector outfits insist that they would never pay a ransom. In the majority of cases, this would seem to be an inaccurate projection.
Perhaps a little more honesty about the frequency with which organisations – all organisations – suffer cyberattacks, and the severity of their consequences, might remove a little of the stigma. And, with it, the fears over what is seen as the inevitable reputational damage.
A greater culture of openness, including a willingness to share details of attacks and the vulnerabilities exploited, would not only help remove the shame and secrecy that currently accompanies cyber incidents, it would also help bring the perpetrators to justice, and prevent future attacks.
To go back to the opening analogy of this piece: if a criminal gang had committed a string of armed robberies, authorities would seek to publicise as much information as widely as possible concerning the details of the incidents, and the modus operandi of the perpetrators. This work would, no doubt, be gladly assisted by the victims. In most cases this would be both out of the wish to see the culprits brought to justice and, perhaps, to recover some of their losses, but also out of the more altruistic desire to save other businesses from suffering as they had.
But, in the cyber world, the stigma of having suffered an incursion means that organisations are all-too-often happy to allow attackers to get away with their ill-gotten gains if it means the incident receives the minimum of publicity – ideally none at all. This means that crucial intelligence on attackers’ methods and vulnerabilities exploited – information that could prevent or, at least, mitigate future incidents – is lost.
The volume and sophistication of attacks these days is such that suffering the occasional breach is an inevitability. But, at the same time, almost all successful attacks could have been prevented, either through slightly modified or bolstered defences or, invariably, through increased awareness and diligence on the part of staff.
A more open culture, one in which organisations shared information on attacks and attackers – ideally in as close to real time as possible – would not only assist in alleviating the stigma around suffering a cyber breach but, crucially, could seriously hamper attempts to launch similar assaults in the future.
There is no shame in suffering a cyberattack. But it is a shame that so many are swept under the carpet, meaning so many more are allowed to follow in their wake.
This article forms part of PublicTechnology Cyber Week, in assocation with Akamai. Throughout this week, the site will bring you a range of content looking at the major security issues facing the public sector, and the country as a whole – as well as insights on how these challenges are being met, and how government and regulators can support this. We will also be hosting an exclusive webinar discussion in which NHS Digital will discuss the challenges it has faced in the past 18 months, ensuring the resilience of its services in the face of unprecedented demand. All content from Cyber Week can be accessed here.