A 2017 BDO Cyber Governance Survey reports that executives are reticent to reveal insights that could help organizations around the world reduce the risk of a security incident. Only one-quarter of company directors share information about cyber attacks with other organizations.
But in a world of highly collaborative hackers and a thriving Darknet marketplace is going solo the best tactic for organizations to stay safe – and the public to be protected? Let’s take a look at some expert recommendations, shared resources, collaboration examples, and rating systems that can help organizations band together to tackle cyber security threats.
Harness the Wisdom of the Crowd
Melanie Rieback, CEO of Radically Open Security, offers advice that encourages organizations to rethink what they keep secret:
- Work with your rivals: Rieback points out that banks have recognized the need to create an open dialogue with their rivals, sharing things like firewall rules – and other industries must think the same way.
- Stop trying to buy peace of mind: Rieback stresses the importance of open-source solutions and industry initiatives which share “indicators of compromise” like subject lines or fingerprints of files that might be malicious.
Private industry and government agencies have launched efforts to share information and resources:
- The Information Sharing and Analysis Centers help critical infrastructure owners and operators protect their facilities, personnel, and customers from security threats and other hazards, and they provide member groups covering more than 20 sectors.
- The Cyber Information Sharing and Collaboration Program (CISCP) is the Department of Homeland Security’s flagship program for public-private information. In CISCP, DHS and participating companies share information about cyber threats, incidents, and vulnerabilities.
Some industries are collaborating to assess the security of vendors and providers. One such example is assessments of cloud providers. This effort arose because of the difficulties and rework involved in drafting and completing questionnaires designed to determine the security practices and procedures of cloud providers.
By adopting a shared, industry-standard questionnaire, service providers demonstrate to potential customers how they are dedicated to making it easy for a customer to assess the security of their service. Customers, in turn, can reduce the manual effort of creating an assessment from scratch and have the confidence the questionnaire was completed by the appropriate resource at the vendor.
One industry example of such a questionnaire is the Higher Education Cloud Vendor Assessment Tool, which helps higher education institutions ensure that cloud services are appropriately assessed for security and privacy needs, including some that are unique to higher education.
Take Advantage of Ratings to Assess Partners and Vendors
Large corporations often use cyber security ratings, the cyber equivalent of a FICO credit score, to assess how prepared the companies they work with are to withstand cyber attacks. Senior executives can use a score to explain a company’s cyber risk to its board of directors with an easy-to-understand rating. Insurers also look at the ratings when they make underwriting decisions on cyber liability.
Companies such as BitSight Technologies and SecurityScorecard analyze large datasets to rate companies on their cyber security. FICO itself has a scoring tool, the FICO® Enterprise Security Score.
In response to the burgeoning industry, the US Chamber of Commerce has developed the Principles for Fair and Accurate Security Ratings, which is supported by dozens of major organizations.
While the industry is in its infancy, organizations can take advantage of the data analyzed and the scores reported as a way to measure the security of vendors and partners. Jeffrey Wheatman, research director, security and privacy, at Gartner says:
“We think that at some point in the near term, a cyber security score will be as important as a credit score when organizations look to sign up for a partnership.”
20 Cyber Security Resources for Small Businesses
Cyber Security Facts: Statistics Every Business Needs to Know
Why Data Breach Lag Time Matters
Best Cyber Security Practices for Small Businesses
Biggest Cyber Attacks in History: The Top Incidents of All Time