Transparency may, at first, seem a surprising or frightening response to a data breach. Publicising things that have gone wrong feels counterintuitive, raising concerns that disclosing resolved vulnerabilities invites unwanted attention. Yet companies that share intelligence openly have been proven to fare better reputationally after a breach than those that try to muddy the waters, argues Laurie Mercer, pictured, Director of Security Engineering at HackerOne.
Transparency builds trust
In the last couple of years, forward-thinking organisations have begun to see cybersecurity disclosure differently. In March 2019, Norsk Hydro, a renewable energy and aluminium manufacturer, suffered an extensive ransomware attack that affected its operations worldwide. In response, the company distributed frequent and candid communications to inform its customers and shareholders about the events that were unfolding. It also exposed the tactics being used by the cybercriminal group to help other organisations defend themselves against similar attacks.
At the time, cybersecurity leaders widely praised the company in the media for how it handled the attack. Despite risking millions of lost dollars in business, Norsk Hydro did not pay the ransom demand. Instead, by being transparent, it built trust with its customers, suppliers, and shareholders and as a result, its reputation and share price were not adversely affected during the breach.
Obscurity still pervades
While progress towards transparency has been gathering pace, a recent survey of 800 security professionals showed that 64pc admit to still maintaining a culture of security through obscurity. In some cases, this is encouraged by the lack of enforceable regulations. For example, in 2021, it emerged that nine cyber attacks affecting the British transport sector would have been overlooked by the UK’s mandatory reporting laws if they hadn’t been disclosed to the government voluntarily.
When there is no obligation to report incidents that have not resulted in impactful attacks, then understandably organisations may be reluctant to change their existing habits. However, the reality is that cybersecurity issues will always exist, and criminals will continue to target companies with evermore powerful tools and greater resources. It’s not a matter of ‘if’ a breach will happen but ‘when’ and often that ‘when’ can be costly, with the average cost of a ransomware attack in 2022 resulting in a $4.54m loss according to IBM’s cost of a data breach report
Transparency as a differentiator
By defaulting to transparency, enterprising businesses can rethink security to make it a strength and a differentiator. With 63pcof organisations saying that cybersecurity best practices are as important as the cost when choosing a supplier, a trust-driven cybersecurity strategy, therefore, can enable an organisation’s brand to stand out to the increasingly security-conscious buyer. Developing a security culture that promotes trust and transparency can pave the way for other changes in mindset. With brand loyalty often relying heavily on the ability to innovate and bring out new products quickly, security teams must also build trust internally to ensure employees don’t circumvent security processes in an attempt to speed up the time to market.
Innovation and security
Involving developers in the security process is a must too. We all feel more bought-into things we have helped to define, whether that’s a work practice or deciding where to go on vacation. Open up effective communication channels with development teams and involve them in the creation of security initiatives. Organisations must ensure they incentivise and reward developers that highlight and resolve issues as this will further support security best practices and positive collaboration.
Security professionals can further support development teams by choosing security technologies that can adapt to an organisation’s own development cycle and tools. There are options to consider that blend the security expertise of ethical hackers with continuous assessment technologies and process enhancements to find and fix vulnerabilities quickly.
Including ethical hacking in an organisation’s security strategy can also lessen the pressure on internal testing teams by providing the very latest vulnerability intelligence to identify current weaknesses. These human testers will continually assess, verify, and scrutinise attack surfaces for potential vulnerabilities.
When incidents happen – which they will – avoid assigning blame, and continue to build a culture of openness that inspires development teams to innovate with security in mind and bring safer products to market faster.
The corporate responsibility pledge
Few would argue that understanding where the critical flaws lie within an organisation’s attack surface is increasingly complicated. Digital transformation, cloud adoption and remote working have led to new security headaches.
Many of these challenges that organisations face are common. By sharing intelligence, disclosing vulnerabilities and leveraging ethical hacking, organisations can ensure they remain secure and demonstrate security best practices. This in itself acts as a differentiator for organisations, demonstrating a company’s strength and ability to constantly approve and improve systems through engagements with the ethical hacking community. To summarise, through continuous testing, businesses can ensure constant security, improving customer trust and safety.
Enterprises that are ready to align with cybersecurity best practices that build a safer community can join various businesses who have signed up to The Corporate Security Responsibility Pledge, to follow four core principles: transparency, collaboration, innovation, and differentiation. By making this pledge, business leaders can set their organisation apart as one that is demonstrating its active commitment to transparency as a core part of security.
