Is Transparency a Missing Element in Industry Preparedness Against Cyberattacks?

Lack of transparency over cyber incidents makes it harder for companies to understand what their peers are up against and undercuts their preparedness for future attacks.

July 28, 2021

How prepared is your organization for a cyberattack? Have you trained your employees not to click on dodgy links in emails or open unusual attachments? Is your business continuity plan up to date and tested?  These are some of the pressing concerns on minds of IT and security teams in most organisations. However, their preparedness against an impending attack is being undermined by the lack of knowledge of how many other companies have been hacked.  Any information that they get about an attack is through news stories in the press.

It is a glaring truth that many companies that get hacked don’t publicize it. They don’t share information about what happened and how much they paid the hackers in cryptocurrency as a ransom. And they don’t reveal how many customers had their personally identifiable information stolen and potentially put up for sale on the Dark Web.

That all means it can be tough for any organization to assess the risk they are facing accurately. It also means that other IT teams cannot use the information about what happened to those companies to prepare their defensive strategy. 

In hospitals, after an operation has gone wrong, there is a meeting of all the people involved and their colleagues to discuss what should be improved in treating patients to prevent the less-than-optimal outcome from happening again. Isn’t that what IT teams need to do as well? 

Rising Cost of Cyber Attacks 

IBM’s 2020 Cost of a Data Breach ReportOpens a new window , compiled by Ponemon, shows that the average total cost of a data breach was $3.86 million. That figure shot up to $8.64 million in the U.S.. The most expensive industry, in terms of cost incurred on breaches, was healthcare at $7.13 million. Worryingly, the average time to identify and contain a breach was 280 days, which involves 207 days to identify a breach and 73 days to contain it. That means some companies were hacked at the end of last year and they still don’t know it!

Penetration-testing firm Cobalt.io, recently released its The State of Pentesting 2021Opens a new window report, which claims that a quarter of firms take up to 60 days, if not longer, to address low- to medium-risk vulnerabilities. And 1% of companies don’t bother to remediate them at all. Clearly, the longer an organization takes to respond to a vulnerability, the higher the risk of it being hacked. The survey also found that respondents pentest around 63% of their portfolios rather than all of it and 40% of companies said they don’t have the money to pentest all of it.

According to the 2021 SonicWall Cyber Threat ReportOpens a new window , there has been a 62% increase in ransomware globally since 2019, and a 158% spike in North America.

Putting those together, it’s clear that a breach is a costly thing to happen to any company. It’s also clear that several companies are not giving the security of their systems the priority and the money that it needs.

Learn more: U.S. Cyber Regulations Post Colonial Hack: Will They Be Enough?

Why Keep the Information Secret?

Either by design, bad luck, or incompetence, an organization has not given IT security the resources it needs, and it gets hacked. Typically, the bad actors will have taken a copy of the most lucrative data and then encrypted it and displayed a ransom demand. The company will have found that they can’t restore from their backups because that data is corrupted or encrypted. So, they are faced with a choice. Do they pay the ransom and take down their website and everything else for a couple of days, or do they say they won’t pay the ransom and go out of business? For most organizations, the choice is simple.

There then follows a second decision. Do they tell everyone that they have been hacked and publish a document from a respected security company explaining exactly what happened, or do they keep it secret? If they publish the information that they have experienced a breach, that will benefit other organizations – which is good. However, on the negative side, it could mean that they lose customers. It could result in a drop in their share price and a consequent decrease in shareholder dividends, which in turn could lead to a loss of shareholders and a further drop in their share price. And that could, possibly, lead to them going out of business.

You can see why the temptation to keep quiet about a breach is more appealing.

What Can Be Done?

One thing that can be done is for groups of hackers to reveal who has been hacked. This is what happened in June when the activists known as Distributed Denial of Secrets (DDoSecrets) published on its website data stolen (by other hackers) from five different companies in ransomware attacks that didn’t result in a payment. The data included more than 750,000 emails, photos, and documents. The group also has 1.9 terabytes of data taken from over a dozen other firms to share with journalists. You may well question the ethics and their reasoning, but groups like DDoSecrets are revealing the names of companies that have been hacked. The group claims that the personal details that they have published were already available on the web.

In the U.S., Mark Warner, chairman of the Senate Intelligence Committee and also co-chair and founder of the Senate Cybersecurity Caucus, when discussing data breaches at U.S. companies, recently said, “Not only are the companies often not reporting that they are attacked, but they’re not reporting the ransomware payments.” Warner added that it’s worth having a debate over whether to make paying ransoms illegal for U.S. companies. Again, this might result in companies that have been hacked revealing more details about what happened to them – and that can be a valuable lesson for other companies’ IT teams.

Learn more: Data Clean Rooms: A Secret Weapon Against Data Breaches and Data Security Vulnerabilities 

Is There a Perfect Solution?

The biggest problem that North American and European companies face is that criminal hacker groups are often based in poorer countries. That means the average of $3.86 million (according to IBM) generated from each hack adds a nice amount of income to that country’s budget. The hackers may not pay tax, but they do bring more money into the local economy, which will pay tax. And that income may make the governments of those countries less keen on pursuing criminal charges against those people.

Similarly, if a country where the hackers are based has a different political system to the country that the company being hacked is based in, there is no strong desire to prosecute the hacker groups. And, often, it seems agents of the nation state carry out the hacks. So, the idea of sending the culprits to prison and removing the threat just isn’t a workable solution. 

Is There a Working Solution?

There is always something to learn from any experience that doesn’t go quite right. With attacks on data security, there’s a lot of information that other IT teams can use to make it harder for the criminals to succeed in their next attack.

Companies like Colonial Pipeline and JBS have paid ransoms. Colonial Pipeline paid nearly $5 million and JBS paid $11 million. These two companies have come clean about paying ransoms, and Colonial has revealed how the hack took place. Following the SolarWinds hack at the end of last year, The New York Department of Financial ServicesOpens a new window (DFS) put together some recommendations for companies to enhance their security. They also found that several DFS-regulated companies were not very good at patch management, leaving them vulnerable to attack. They found that some companies had not installed patches since 2018.

It should become compulsory for companies to reveal that they have been hacked, the steps taken by the hackers to breach their security, and the size of the ransom demand and the amount paid.

Learn more: Kaseya Attack Is a Reminder of How Your Supply Chain Partner Can Undermine Your Cybersecurity 

Conclusion

The best defense that organizations can utilize to protect their networks from attacks clearly depends on organizations that have been hacked releasing information about that attack and the size of the ransom they paid. Armed with this information, other companies can ensure their IT teams take appropriate steps to prevent a breach from happening to them. If companies try to keep information about an attack secret, they prevent others from learning from their mistakes and making their cyber defenses stronger. This level of transparency is needed and needed now from everyone to help prevent further cyberattacks.

Do you think transparency over breaches can make enterprises more resilient against future attacks? Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Trevor Eddolls
A popular speaker and blogger, Trevor currently chairs the Virtual IMS and Virtual CICS user groups. He's editorial director for the Arcati Mainframe Yearbook and for many years edited Xephon's Update publications. Trevor has an extensive 40-year background in mainframes and IT, and has been recognized as an IBM Champion from 2009 to 2022 for his leadership and contributions to the Information Management community. He's written numerous technical articles and published 3 mainframe-related books. He's an accomplished web designer and recognized social media expert.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.