We Need a Global Standard for Reporting Cyber Attacks
Cyber threats are a seemingly impossible challenge. By their very nature — fast-changing, borderless, asymmetric — they’re ridiculously difficult to predict and manage. We focused on the main challenge in managing cybersecurity: the data gap. Very little cyber data is broadly available, making it difficult to objectively evaluate the potential impact of incidents. Through our work we propose an approach to identifying what to measure, how to capture the required data and how to make it useful.
SHARE INFORMATION: Information is power and, in cybersecurity, it’s the power to prevent other similar events. If a breach occurs in one organization, we can be reasonably confident that the same malicious tactic will be used on another organization in the near future. If the data about that first known breach is made available, other organizations can prepare themselves. Shared knowledge also allows regulators and law enforcement to objectively manage incentives to guide corporate cybersecurity governance, data gathering and information sharing.
The first step is to figure out what exactly should be measured. To do this, we must agree on a standard taxonomy of cyber events so that we can track and understand the consequences of any attack. To encourage breach-related information sharing, it is important to guarantee anonymity to the organizations reporting incidents.
The cyber threat landscape is constantly evolving, as are regulatory requirements. Cyber preparedness has to be reviewed and adjusted regularly.
COMPLIANCE AND COMMUNICATION: Regulators across the globe require companies to disclose incidents, but our research shows that too often these regulators share too little of the data publicly to be of use, if they share any at all. In our research we observed that while reporting on cyber risks is a purely compliance-based exercise, companies do elaborate in greater detail after they suffer a publicly disclosed incident.
We’re just as worried that there are no incentives for organizations to share what data they may have about cyber breaches and vulnerability. To remedy this, we suggest a public-private partnership to give organizations the operational support they need to both monitor their security and share information via a trusted resource.
(Marc Barrachin is a managing director at S&P Global Market Intelligence. Algirde Pipikaite serves as a project lead at the Centre for Cybersecurity, World Economic Forum.)