The sharing of threat intelligence is something of a fraught issue in the cybersecurity industry. Despite many experts agreeing that it would be a useful weapon against gangs of ever more sophisticated hackers, many individual firms worry about the reputational risks of disclosure.
Indeed the problem is so bad that the US president Barack Obama is due to sign an advisory, encouraging technology companies to set up groups just to share data, and has just attended a summit in which corporate responsibility to share data is scrutinised. Yet when even the reporting of breaches to regulators is in question, sharing data with a rival will always seem like a big step.
"Disclosure means quite a lot of things to many people," said Ray Stanton, VP of professional services at BT, speaking on a panel in Westminster during last week. Disclosure can be classified as a legal obligation or a matter of corporate responsibility – only the latter is optional.
At present in the UK companies mostly do not have to report breaches to the Information Commissioner’s Office (ICO) (exceptions apply to certain industries), or even the consumers affected. Yet the potential for later punishment as a result of badly handling a data breach means that many firms choose to do so anyway, in the hope it will mitigate the case for a reprimand.
"As a consumer I would have the expectation of being informed," said Andrew Archibald, deputy director of the National Crime Agency’s cybercrime unit, also on the panel. "That said, I recognise some of the challenges that presents to business in terms of reputation to business and in terms of shares."
The art of remediation
Many firms have been embarrassed once details of a breach have leaked online, where they can be circulated on social media. "Once [an incident] gets out onto the social networks you have no control of it at all," said Gary Cheetham, CISO at insurance firm NFU Mutual. "Proving a negative is quite difficult."
He claimed that his firm has a highly proactive approach to reporting breaches to both customers and regulators. "If there’s any sign of a breach or degradation of service we will let the FCA (Financial Conduct Authority) know straight away," he said, adding that the same applies for customers if, for instance, a renewal note goes missing in the post.
"It really is important to us that we keep the regulators informed, but also we’re very proud of our customer retention and we want to make sure they feel comfortable," he said. "That’s the attitude we take – but not everyone has that attitude."
That latter point is certainly true, as many have found out to their cost when an investigation from the ICO results in a fine. Indeed a straw poll of the room found that only a quarter of attendees at the conference had a third-party reporting policy.
As Archibald pointed out, many will have different ideas of what "responsible disclosure" actually entails, one that depends on the job at hand and the career history of the individual. Indeed the law enforcer views that whether or not you report, you must share breach data with your competitors.
Based on current evidence, Obama’s plans may face some resistence.