Security experts have called for improvements in how private sector organizations share threat intelligence data with the wider industry.
It’s believed that better cross-organizational collaboration would improve cyber resiliency in the face of cyber attacks that continue to rise in frequency and develop ever more sophisticated.
“I think this is one of the ways in which the private sector can work with governments around the world, and each other across sectors, industries, and regions,” said Jen Ellis, co-chair at the Institute for Science and Technology’s Ransomware Task Force.
Government agencies such as the UK’s Information Commissioner’s Office (ICO) or the US’ Cybersecurity and Infrastructure Security Agency (CISA) enforce strict reporting deadlines around data breaches, but companies often report the minimum required information.
Three ways to evolve your security operations
Why current approaches aren’t working
The designated cyber security authorities in the UK and US enforce strict reporting deadlines around data breaches and this is seen as a positive step.
However, victims often report the minimum required information which in turn reduces other organizations’ ability to learn from, and potentially prevent, follow-on attacks.
The panel spoke at Infosecurity Europe 2023, discussing the topic of a so-called ‘catastrophic cyber storm’ that businesses currently face.
Nick Prescot, CISO at Norgine B.V, noted that there already is a great deal of information sharing in the industry, but much of the information is shared through private channels and the public’s perception of that exchange is limited.
“It’s easy to say that we can talk to everyone and every organization can talk to each other,” said Cedric Mallia, CISO at Play’n GO.
“In practice, that’s way more complex, because sometimes you have to share information with your competitors or with entities that could use that information to extrapolate things you don’t want them to.”
Mallia also noted that sometimes data shared can give an inaccurate picture of how an attack was carried out or handled.
“It is nearly a legal issue to know what to say, without giving away information that you don’t wish others to know. And that makes it very, very difficult.”
Some smaller organizations may currently lack the relevant resources or knowledge to react to an attack in the best way and could benefit from data sharing with larger organizations, particularly those that have weathered similar attacks.
But many fear exposing proprietary information by being too open around attacks, and security teams may be concerned that public insight into defensive strategies could open them up to further attacks down the line.
Dr. Fene Osakwe, group head of digital and technology assurance at the Wellcome Trust, suggested that legislation or guidelines could be drawn up for what data to share.
“It’s difficult to share without a framework that governs what is allowed to be shared, and what exactly is being classified as intelligence,” he said.
“I think that it’s important for a trusted, independent party whether it’s the government or an NGO, to create that framework that states under what conditions, how, and with who information will be shared and what it will be used for.”
Osakwe further suggested that it should be the responsibility of executives, rather than security teams, to ensure that these channels of communication are maintained.
“Arrogance” to try to avoid the storm
Mallia branded the attitude of some companies “arrogance”, and argued that those that still believe they can avoid becoming involved in the current threat landscape altogether could cause their own downfall.
The top zero trust use cases
The challenges organizations solve to reduce risk and cost
“It is a storm at the end of the day, but we have the ability and knowledge to weather it out,” he continued.
“Those who are resilient will come out the other side.”
For many businesses, the ‘storm’ of cyber attacks has arrived in full force. Cyber attacks on UK organizations rose 77% in 2022, and new ransomware strains like Rorschach continue to raise the threat ceiling.
International police forces have set their sights on LockBit, the notorious ransomware as a service operator, but attempts to stamp out threats continue to play second fiddle to defensive and remediation efforts.
The panelists urged attendees to consider their security contingencies, as attacks are bound to occur but businesses are made or broken by their preparedness to quickly recover.
“It’s about making it harder for attackers, every time,” said Ellis.
“It’s about raising that bar, making it more expensive and inconvenient for them. We’re never going to be this mythical thing of ‘secure’, but we can continue to make progress.”
Geopolitical awareness needed
All panelists made the case for companies to heighten awareness of the worldwide cyber security and geopolitical landscape to improve their threat posture.
“People think that the ‘big bad countries’ are going to flyswat small countries,” said Prescot.
“But with cyber it’s different, it’s very asymmetric,” he said, and cited Cl0p’s MOVEit supply chain attack as a recent example of the kind of smaller, possibly state-backed groups with which companies are having to contend.
Osakwe gave the example of an African company with whom he had worked, which was targeted by a politically-motivated cyber attack based on a rumor that it had worked with an opposition party.
“When that information came, it gave the security team a lot more perspective of what to do,” said Osakwe.
