Cybersecurity professionals in the local industry, or in this region, have noted that other regions like America or Europe, have a tendency to be transparent and forthcoming about their cyber incidents.
This isn’t the case for Asian businesses, as (organisations here) tend to have the habit of saving face. “Whatever we do, it’s always about saving face, and making sure we always look good.,” is one cybersecurity professional’s view.
This is one of the main gripes for cyberdefenders in the cybersecurity industry. Because the need to save face, leads to a very glaring lack of information sharing. There is no information gleaned from the ‘attack event’ that other organisations can learn so that they can protect themselves.
But there is another side to the coin.
In the commercial environment, information is valuable. From an academician’s point of view, information can be used as a competitive advantage, hence all the secrecy around attacks, and even the type of protection solutions an organisation uses.
“Similarly, certain technical skills or know-how, are trade secrets and revealed only to certain parties on a need-to-know basis,” she said. “Failure to guard this information, is a breach.” Not to mention, there are vested interests to protect.
So, for organisations to give away data about whether they were compromised, as well as the who, why, what, when, and how? Who should drive this? If companies are serious in upholding transparent reporting, and employees are assured that they can make mistakes without being casually penalised, the environment can potentially be healthier for all.
Let’s examine what happens.
There are regulations around notifying regulators when a data breach occurs. That’s best practice in theory. However, this applies to regulated industries most of the time – healthcare and finance, for example. Then there is the matter of whether breach notification happens in reality.
The media can learn of some things, but there is still a whole lot that the media does not know. And one of it is whether a compromised organisation has ever been fined for not notifying regulators.
So, that’s two avenues of possible disclosure we are talking about here: to the media (and the public), and to regulators.
A third avenue is not so much about official disclosures, but more about knowledge sharing among like-minded folks who have for lack of a better phrase, a unified objective.
A unified objective?
Cybersecurity professionals will note many incidents and breaches that occur in the industry, but all they can do is speculate as to what really happened. In most cases, there is not much information about the cyber event, for example IOCs or indicators of compromise because organisations that have been compromised are so tight-lipped about what happened.
One cybersecurity professional’s statement goes like this: ”We are not living in isolation. In today’s world everyone is connected via the Internet, and the threat that happened to Company A is eventually going to hit Company B and Company C and so on.”
If there is so much as a rumour of a company being breached, the first official statement that is going to come from the company is, “We are ok, everything is fine. We place very heavy emphasis on our security and your security is of utmost importance to us.”
But the precious intelligence they are withholding could make all the difference in whether the next organisation becomes a breach ‘victim’ or not.
This may be an area where the threat actors have a huge advantage over the defenders.
A comprehensive and trusted network of threat intel and information is something every cybersecurity professional should have in their arsenal.
This article is based upon a podcast chat which is rumoured to have happened pre-MCO. To this day, the podcast episode has not been found. Maybe the Gods of Podcast ate it up. Or it became collateral damage during the Great War of Mixer Monsters. Our source has requested to remain anonymous and would only reveal that 5 individuals were present during this first podcast chat.
Are there more in the works? Only time will tell.