Learning the hard way: Why cybersecurity failures need to be shared

Principal Ben Hobby highlights important lessons from the British Library cyberattack and their commitment to transparency.

When a cyberattack strikes, the consequences can be devastating — not just in terms of financial loss, but in lost trust. Yet, many organizations choose to remain silent about their cyber incidents. Why is this? And more importantly, what are the costs of this silence for others trying to stay ahead in an increasingly complex threat landscape?

Learning the hard way: Why we don’t share

It is part of the human condition that we often learn things from experience. Academics have demonstrated that other species learn from their actions and adjust their behaviour accordingly. Humans do the same, but are we doing it consistently, especially when it comes to cybersecurity?

When a cyberattack occurs, it is usual for the victim organisation to perform its own investigation to determine what went wrong. However, the results of these investigations and the lessons learned are rarely shared publicly. Let’s explore why that is — and why it needs to change.

1. Embarrassment

Many organizations fear that admitting to a cyber incident reflects a failure in their security measures. While this may be (partially) true, it ignores the fact that there is an arms race going on between cybersecurity specialists and the threat actors as companies do their utmost to be one step ahead of the bad guys. In any race, there will always be changes in the party that is in the lead and that is the case with cyber.

2. Security risk

Disclosing details of an attack, especially how it was resolved, can provide valuable intelligence to other attackers. By highlighting security gaps and the consequential security improvements that have been made, organizations may, inadvertently, provide the same or a different threat actor with intelligence that could be used to mount a second attack. It’s fair to say, therefore, that company directors often adopt a “once bitten, twice shy” approach.

3. Litigation risk

There is also the very real threat of litigation. As noted above, when an incident occurs, it may be the result of negligence, either a split-second decision by an employee clicking on a phishing link, or a failure to invest in security over a sustained period of time. In such cases, shareholders who may perceive that they have suffered a loss in the value of their investment, then sue the company directors in a class action suit for breach of fiduciary duties. By putting information into the public domain on how the incident occurred, directors could be providing fuel for the litigation fire.