In a sorry state of affairs, a recent survey found that nearly seven in ten CISOs and CIOs have been encouraged to keep a data breach under wraps. While shocking, this shouldn’t be a surprise.
When a UK company is hit by a cyberattack, lawyers brought on board to support the recovery process more often than not recommend downplaying the severity of any associated data breach. This strategy is supported by the ease with which such breaches can be reported to the ICO as ‘immaterial’ and communicated as such to exposed customers and businesses.
When data breaches do play out publicly, as seen this summer in cyber attacks targeting the Co-op and M&S, the backlash is significant. Both companies are now subject to class action lawsuits grouping together shoppers whose personal details were compromised. The threat of such legal action is enough to send a chill down the spines of any UK board. Propping up this status quo is a fundamental truth: that most UK organisations are completely in the dark about the contents of breaches.
A culture without winners
There are several arguments to be made for ditching this attitude toward the data breaches – the most obvious being that it puts us all at risk. A recent study found that the average data breach exposes 482 individual organisations. In today’s norm, these organisations are either unaware of their exposure or find out but are forced to trust an assessment of their exposure via the breached party.
The same study finds that emails, financial data and HR records are all widely exposed in breached datasets. The prevailing tendency to ignore a breach’s contents, therefore, means organisations are left vulnerable to what criminals could seek out in the public domain to target them with cyber attacks and scams.
Organisations that have suffered a breach may logically benefit from being in a position to downplay the threat. But what about the existing datasets available online that leave them exposed? The situation is a mess without winners.
The good news is that advances in AI pave the way for a better way forward. At-scale and safe analysis of breached datasets is set to blow the culture of silence wide open.
Peering into data breaches for ground truth
Historically, an organisation that suspected they were exposed in a data breach had to take the risk of downloading the breached dataset in question to check for themselves or pay a CTI company to run the analysis.
Exposed Data Intelligence (EDI) is a step change because it puts the power into enquiring organisations’ hands. EDI firms use AI to download and analyse breached datasets at a scale that human teams could never match. Organisations then tap into this intelligence to learn what breaches they’re exposed to and what data has been compromised. This insight can be accessed and acted on autonomously by individual organisations.
When EDI brings an organisation’s data breach exposure to light, many stakeholders benefit. Compliance teams can meet regulatory obligations with more precision. Risk teams get hard data to articulate the depth and specifics of data breach exposure. IT teams gain a clearer picture of where defences could be compromised to inform follow-up defensive measures.
But breached companies also have something to gain. Having assessed the contents of data that’s been exfiltrated and published online at a granular level, organisations are better equipped to uphold values of transparency in communication with regulators, customers and the public when disclosing a breach. They also benefit from being able to guide recovery next steps (whether it be communications or compensation payouts) based on the exact contents of the breach, which helps avoid unnecessary actions and costs.
Rethinking the data breach
The current approach to breaches in the UK is broken thanks to a prevailing mindset that prioritises damage control over intelligence. EDI offers a way to change that. By looking directly into breached datasets, organisations benefit from clarity, insights and accountability into data breaches.
This status quo shake-up isn’t about victim blaming or a rebalancing of power. It’s about injecting intelligence into how we deal with data breaches to ensure bad actors aren’t one step ahead of defenders and that data breach recovery is as painless as possible.
Robin Brattel is the co-founder and CEO of Lab 1
Read more: Women are being unfairly penalised by an imaginary AI competence gap
