The Great Cyber Attack Silence

Businesses are keeping quiet about cyber attacks despite the risk of regulatory fines and despite (or perhaps because of) reputational damage. Kate O’Flaherty explains why companies need to break the cyber attack silence and start talking about breaches

Covering up cyber attacks is never a good idea, but many firms still do it. A report by Keeper Security found that 41% of breaches are not reported to internal leadership, and nearly half of firms keep incidents a secret from authorities.

There are many reasons for keeping silent, including ignorance of regulatory requirements, with some even forgetting to share the news of an attack. Sometimes the reasons are more sinister, with leadership keeping their lips sealed due to fear of repercussions from the board and plummeting share prices.

But silence is not always golden, and you usually get rumbled in the end. Let’s take the example of Uber. Its reputation was damaged after it waited a year to admit it had paid hackers to keep quiet about a breach in 2016 involving the information of 57 million riders.

In 2017, Equifax waited weeks to take action after the breach that exposed the personal information of 147 million people. Right now, SolarWinds and its CISO are facing legal action after failing to disclose problems with its security that led to the devastating cyber attack in 2020.

Blissful ignorance

Sometimes firms keep quiet about breaches because they simply don’t know what they’re meant to do. “Blissful ignorance” is one reason firms hide an attack, says Richard Staynings, chief security strategist at Cylera.

In some cases, organisations cannot recognise an attack has taken place and attribute IT problems to other causes, he says. “This is often the result of inadequate cybersecurity team capabilities.”

“They accept unnecessary risks that may lead to an attack, hoping it doesn’t occur during their watch as CEO or a board member’ Richard Staynings

It can take less sophisticated organisations months or longer to realise they have suffered an attack, says Staynings. He cites the Yahoo breaches of over three billion user accounts: “This was only fully discovered when a forensic investigation of a newer attack revealed several large prior breaches.”

At the other end of the scale, covering up attacks is often done intentionally, with security leaders fearful of losing their jobs and under pressure from CEOs and boards. Some organisations deliberately under-fund cybersecurity to maximise shareholder profits and CEO bonuses, says Staynings.

“They accept unnecessary risks that may lead to an attack, hoping it doesn’t occur during their watch as CEO or a board member. When an incident does happen, they do their best to cover it up, threatening security, privacy and compliance.”

Corporate culture plays a critical role in the cyber attack silence, says Richard Bate, CTO at Goldilock. “Individuals may hesitate to report incidents in environments where blame is quickly assigned and with harsh repercussions.”

Speaking out about cyber attacks beyond your reporting duties is not always easy for many reasons. To be fair, the breadth of an attack, motive and entry point are often unknown even months after the initial breach is detected. David Jones, a cybersecurity and governance subject matter expert and non-executive director at regulator Ofcom, speaks personally.

Jones says that regulatory requirements and the threat of legal action can cause some firms to panic. “This means that in this stressful situation, they will feel like they are fighting across a number of fronts.”

Preventing more breaches

Not reporting attacks doesn’t help anyone and can lead to more breaches. This is because it can embolden attackers and diminish the urgency to bolster security measures, making repeated breaches more likely, says Dr Klaus Schenk, vice president of security and threat research at Verimatrix.

Failure to report attacks also hampers the ability of law enforcement and cybersecurity agencies to respond to cyber threats, Bate says. “These entities rely on breach reports to piece together the puzzle of cyber criminal operations, to track and apprehend perpetrators, and to issue timely warnings to the community at large.”

“In fact, by not reporting the breach, the organisation gives the attacker unlimited time to gather existing data and any new information” Matthew Giles

On the technical side, any data stolen from a breach can be used to launch further attacks, says Matthew Giles, an instructional designer at VIPRE Security Group. “In fact, by not reporting the breach, the organisation gives the attacker unlimited time to gather existing data and any new information. Cyber criminals can then compromise multiple systems and create backdoors for future access.”

Determining what data falls under regulation, such as the EU General Data Protection Regulation (GDPR), helps breached companies determine how much to say and when.

Under GDPR, any personally identifiable information (PII) is protected, says Schenk. This includes names, addresses, digital footprints and unique identifiers such as client IDs. He says that non-PII, such as anonymised or statistical data, usually falls outside.

If personal data is compromised, you must notify the authorities, says Bate. However, grey areas also exist, he says. “Corporate data, including confidential business information and trade secrets, does not receive the same level of protection under GDPR unless it relates to identifiable individuals.”

Best practice: Creating an open and blame-free culture

Breaking the cyber attack silence is possible if companies are prepared to overhaul their business culture and mindset. Transparency is a “business game-changer”, says Laurie Mercer, security architect at HackerOne.”Building a security culture that promotes trust and transparency can pave the way for other changes in mindset.”

He describes how “open, honest, and authentic leaders” that adopt “radical transparency” as part of their cybersecurity approach will help to boost security culture within the business. “This will increase trust, differentiate the brand and create a robust security posture,” he advises.

At the same time, knowledge is key. Employees should be adequately trained to carry out their duties in a “secure and safe manner”, says Cliff Martin, head of cyber incident response at GRCI Law. “Inadequate processes, policies and training contribute significantly to cybersecurity incidents. Firms cannot expect staff just to know what is expected or how to do certain tasks because everyone has a different view and may approach it differently.”

“Individuals may hesitate to report incidents in environments where blame is quickly assigned and with harsh repercussions” Richard Bate

Setting training goals and incentivising learning in a meaningful way “helps greatly”, says Giles. “Security training needs to be a means of changing behaviours and habits; it’s not only for awareness.  All types of training are needed, from reporting an incident to knowing the various regulations such as GDPR demand.”

As part of this, creating an environment where staff are trained to handle data responsibly and feel comfortable reporting security incidents is “crucial”, says Schenk. “This approach should emphasise that anyone can make a mistake, and the focus should be on collective improvement rather than individual blame.”

Culture change comes from the top down, which means the top brass need to lead by example, says Bate. “This includes demonstrating a commitment to transparency, participating in training, and supporting staff who escalate concerns. This top-down endorsement is crucial in cementing culture change.”

As too many firms have discovered, if you cover it up, you’ll get found out in the end. The benefits of an open and transparent business culture are vast – including a boost to reputation and the ability to respond better to future attacks.