Learning the hard way: Why cybersecurity failures need to be shared
Principal Ben Hobby highlights important lessons from the British Library cyberattack and their commitment to transparency.
When a cyberattack strikes, the consequences can be devastating — not just in terms of financial loss, but in lost trust. Yet, many organizations choose to remain silent about their cyber incidents. Why is this? And more importantly, what are the costs of this silence for others trying to stay ahead in an increasingly complex threat landscape?
Learning the hard way: Why we don’t share
It is part of the human condition that we often learn things from experience. Academics have demonstrated that other species learn from their actions and adjust their behaviour accordingly. Humans do the same, but are we doing it consistently, especially when it comes to cybersecurity?
When a cyberattack occurs, it is usual for the victim organisation to perform its own investigation to determine what went wrong. However, the results of these investigations and the lessons learned are rarely shared publicly. Let’s explore why that is — and why it needs to change.
1. Embarrassment
Many organizations fear that admitting to a cyber incident reflects a failure in their security measures. While this may be (partially) true, it ignores the fact that there is an arms race going on between cybersecurity specialists and the threat actors as companies do their utmost to be one step ahead of the bad guys. In any race, there will always be changes in the party that is in the lead and that is the case with cyber.
2. Security risk
Disclosing details of an attack, especially how it was resolved, can provide valuable intelligence to other attackers. By highlighting security gaps and the consequential security improvements that have been made, organizations may, inadvertently, provide the same or a different threat actor with intelligence that could be used to mount a second attack. It’s fair to say, therefore, that company directors often adopt a “once bitten, twice shy” approach.
3. Litigation risk
There is also the very real threat of litigation. As noted above, when an incident occurs, it may be the result of negligence, either a split-second decision by an employee clicking on a phishing link, or a failure to invest in security over a sustained period of time. In such cases, shareholders who may perceive that they have suffered a loss in the value of their investment, then sue the company directors in a class action suit for breach of fiduciary duties. By putting information into the public domain on how the incident occurred, directors could be providing fuel for the litigation fire.
Why sharing cyber lessons matters
Whatever the cause of this silence, lessons are not necessarily being learned as fast as they could be. So, credit to the British Library in publishing the results of their own investigation into the incident that they suffered in October 2023. The published report shows that the IT team were perhaps overstretched, multi-factor authentication was not used to connect to the British Library network domain and there was a plethora of external suppliers who also had network access.
While the situation is far from ideal, company directors facing similar challenges should take note: the British Library has incurred £7 million in restoration costs to address this incident. A substantial financial impact that ought to focus minds.
A call for greater transparency
Let us hope, therefore, that more organizations follow the British Library’s lead. By sharing their experiences, victim organizations can help others benefit from their experiences without having to endure the same costly lessons. By providing this greater transparency, victims will be helping us all in trying to stay one step ahead of the bad guys.
