Article
Learning the hard way: Why cybersecurity failures need to be shared
Sept. 26, 2024 · Authored by Ben Hobby
Principal Ben Hobby highlights important lessons from the British Library cyberattack and their commitment to transparency.
When a cyberattack strikes, the consequences can be devastating — not just in terms of financial loss, but in lost trust. Yet, many organizations choose to remain silent about their cyber incidents. Why is this? And more importantly, what are the costs of this silence for others trying to stay ahead in an increasingly complex threat landscape?
Learning the hard way: Why we don’t share
It is part of the human condition that we often learn things from experience. Academics have demonstrated that other species learn from their actions and adjust their behaviour accordingly. Humans do the same, but are we doing it consistently, especially when it comes to cybersecurity?
When a cyberattack occurs, it is usual for the victim organisation to perform its own investigation to determine what went wrong. However, the results of these investigations and the lessons learned are rarely shared publicly. Let’s explore why that is — and why it needs to change.
1. Embarrassment
Many organizations fear that admitting to a cyber incident reflects a failure in their security measures. While this may be (partially) true, it ignores the fact that there is an arms race going on between cybersecurity specialists and the threat actors as companies do their utmost to be one step ahead of the bad guys. In any race, there will always be changes in the party that is in the lead and that is the case with cyber.
2. Security risk
Disclosing details of an attack, especially how it was resolved, can provide valuable intelligence to other attackers. By highlighting security gaps and the consequential security improvements that have been made, organizations may, inadvertently, provide the same or a different threat actor with intelligence that could be used to mount a second attack. It’s fair to say, therefore, that company directors often adopt a “once bitten, twice shy” approach.
