10:15 Friday, 30 July 2021
UK Cyber Security Council
The average information security professional knows about the threats and attacks he or she is experiencing. Additionally, there are plenty of web sites you can scour to give yourself a general idea of what other threats are out there, and the vulnerabilities in popular operating systems and applications that those threats try to exploit.
But look around you. I bet there are dozens of companies in offices near yours, and they will all be experiencing some level of security attack, even if none of them is being subjected to heavy levels of intrusion or suffering major losses. Wouldn’t it be great if you could compare notes with your peers in those companies, share war stories and help each other grow their awareness of threats?
Well, you can. Trouble is, too many people are terrified of doing so. At first glance, this is understandable: security data is sensitive and confidential, and could be used against you. But is it really that big a deal?
If we’re talking about sharing information about the attacks you’re being subjected to, it’s hard to see why that would be in any way sensitive. What is there to lose by telling someone that you’d been hammered by, say, a phishing attack purporting to be from a bank or HMRC? You’re not admitting to any vulnerabilities, you’re simply saying that you’ve seen someone trying to attack you. Furthermore, you can actually gain a bit of kudos from telling people about it – after all, your systems were good enough and you were clever enough to spot it. It makes no sense at all to keep this to yourself, and I can never understand why people would do so.
Where it all really goes pear-shaped is when you consider sharing experiences of attacks that succeeded. How many of us are willing to admit we were hit by, for example, a ransomware attack that encrypted 50,000 files and that it took us days to recover the data from backups? Much of the problem is that the world looks down its nose at companies that suffer breaches – and it definitely hits the share price of public companies, albeit often fairly temporarily. The problem is, of course, that nobody wants to be the first company that discloses something major, because it will put them at a perception disadvantage relative to the companies that keep their mouths shut.
As security professionals, we need collectively to change this. Even if our employers are terrified of going public with data on attacks and damage, they need to start trusting us to collaborate among ourselves, under the Chatham House Rule or similar constraints, so that we can all benefit from a much wider range of information than would otherwise be available. As professionals we should trust each other to maintain confidences, because the upside is potentially huge.
One hopes that there’s some kind of specialist group local to each of us with which we could work to swap stories confidentially and build our knowledge as a result. And if there isn’t … perhaps it’s something that a bunch of like-minded people could start, or you could maybe look to existing groups like local BCS branches or ISACA/(ISC)2/CIISec chapters or even your local IoD or Chamber of Commerce, neither of which comprises predominantly security professionals but both of which provide a channel into their members security teams. But I do think the action point is with us to try to make information sharing a normal thing to do, and get away from a situation where everyone is terrified to be the first to take the plunge.
And if there really is nothing local … or, for that matter, even if there is, I’m going to give the NCSC’s Cyber Security Information Sharing Partnership (CiSP) a shameless plug, because guess what – it’s a national portal in which security professionals can tell people about their security experiences, anonymously or not. It’s a brilliant little portal and the only thing it lacks is users: traffic levels are light and what it really needs is a critical mass of users to post there and drive the amount of useful content up. I dip in from time to time, and I’ve shared a few experiences over the years too. So should you: sign up at the NCSC's website.