Radical transparency is an essential part of security cultures in organisations, says Dr Niklas Hellemann, pictured, CEO at SoSafe, a cyber security awareness platform.
Data breaches have become a part of the lifecycle of modern businesses, and both businesses leaders and consumers know it. With the increasing professionalisation of cybercrime, security awareness has never been as important as it is today – both as a means of detecting, and reacting to, attacks. Considering this, minimising the impact of data breaches and ensuring they are detected as soon as possible should be priorities for all businesses, and will be helped significantly by creating a strong internal security culture. One important part of security cultures is transparent communication around data breaches – internally and externally. It will help us all to better understand cyber threats and how we can work against them.
If we look at the history of two tech giants and how they handled two different data breaches, we can clearly see different approaches to transparency. In October, Uber’s former chief security officer (CSO) stood trial and faced charges for covering up a 2016 data breach. Joe Sullivan sternly ordered his subordinate that no information about the incident was to be released to the public and it was only to say, “this investigation does not exist”.
In contrast, Dropbox opted for absolute transparency in the case of a phishing attack: the company published a detailed statement about the incident and all the measures taken. There was no secrecy or downplaying of the event – instead they used their communication as a means for more openness and honesty towards their customers.
“Radical transparency” is a corporate culture that involves complete openness with colleagues, customers, vendors, suppliers and partners. It goes beyond simply disclosing information: proactive sharing of important information is required – even if it seems uncomfortable.
In the context of cybersecurity, radical transparency needs to be part of security cultures of organisations and can empower everyone in an organisation to come forward if an attack occurs. This can help limit the damage from a breach, help teams learn from past mistakes, and better respond to future threat risks – all fundamentals of ‘incidental learning’. As an example, one element of security culture is “power distance”, or the extent to which more junior members of an organisation feel nervous about approaching more senior members. If people are afraid to flag it to their boss if they receive a weird email from them, it will be much less likely that ongoing attacks like CEO frauds are spotted. The importance of asking these questions despite hierarchy cannot be overstated – an employee’s thought processes regarding dealing with senior executives in the event of a potential cyberattack could be the determining factor when it comes to early detection – or too little, too late.
A strong security culture, built on trust and the confidence to disclose mistakes is a sure-fire way to improve a business’s chances of detecting a cyberattack early. Radical transparency is an opportunity for businesses to create this culture of threat transparency and for leaders to become role models for this behaviour.
Following this transparency approach also affects the public perception of organisations: companies today need to pay particular attention to communications related to cyber-attacks. A proactive communication strategy can help maintain a degree of control over media coverage and avoid reputational damage if it turns out that a company has tried to hide news of an attack or deny it.
People are the most important factor in cybersecurity and therefore it is fundamental that companies are supportive and motivating of their workers. By creating a culture where all employees can be confident that they will not be punished for cyber incidents, they can be encouraged to be open and honest about their experiences. By doing this, companies can learn together and understand where the biggest risks lie and what needs to be done to address them. This allows safe cybersecurity practices to be developed and maintained to sustainably limit the cyber risk for organisations.
A culture of radical transparency also means more discussion about cybersecurity both inside and outside the company – allowing all those to understand why it is so important that everyone improves their level of knowledge about digital security. No exaggeration is needed: promoting radical transparency is a crucial part of developing a high level of security awareness among all our employees.
Therefore, business leaders need to follow the example set by Dropbox in the face of the data breach: not only to enhance their image but to change the culture of blame in the industry as a whole. Instead, following the approach of radical transparency will help organisations create and nurture a stronger, more human-centric security culture.
