Why are some enterprises ignoring known security issues? asks Joe Griffiths, pictured, Blue Team Leader in CyberGuard Technologies.
Faced with a cybersecurity incident, a fast and decisive response is the difference between survival and catastrophe. How effective this response can be depends on three things: being well-prepared for cyber-threats, clear and thorough internal communication and a strong security culture at all layers of the business. Security awareness is key. No enterprise can be well-prepared without active awareness of the current security landscape, but ‘awareness’ can carry different meanings in different contexts.
At a fundamental level, awareness is strongly linked to disclosure; the publication of vulnerabilities and incidents by the organisations that discover them. The right time and circumstances to disclose security vulnerabilities is a hotly debated question among security experts. There are two approaches to disclosure: full disclosure and responsible disclosure.
Full disclosure is the immediate and complete publication of any discovered vulnerability or security incident. The arguments in favour of full disclosure are that it raises global awareness of an issue, allowing other organisations to prepare, and that it enables security experts to work on preventing the risk being exploited in future.
Responsible disclosure posits that security vulnerabilities should only be disclosed in a way that minimises potential harm; that is, disclosure is limited to the vendor rather than the public. The argument for responsible disclosure is that immediate publication of a vulnerability could lead to greater exploitation by malicious actors before the risk is addressed by the vendor; and this could be economically disruptive by shaking consumer trust.
Already, this puts smaller and medium-sized businesses (SMES) in a difficult position. Whether they can prepare for new, emerging security risks often depends on the disclosure and remediation practices of larger companies that are aware of them. But responsible disclosure usually leads to a gap between discovery and solution. As a result, SMEs – without the resources to detect zero-day incursions, or to track and respond to vendor patches in a timely fashion – can be compromised without knowing it.
Modern attackers are very stealthy. They can use new unpatched vulnerabilities to compromise a network and steal confidential data without the victim being aware. Even if the victim becomes aware of the incursion later, if no visible damage was done, the SME can be tempted to ignore the incident to protect its own reputation. A 2019 study by Atomik Research found that 81 per cent of UK companies had been breached in the previous 12 months, but 39% said they only report major breaches to their customers. [i]
This is just one way in which business owners and executives can be incentivised to try to hide security incidents that happen within their organisation – or even to ignore them altogether. UK government statistics saw a reduction in reported cyber breaches and threats in 2021, but a closer reading of the facts suggests that this may be due to underreporting rather than an actual reduction in malicious cyber activity during the pandemic.[ii]
Why are cyber threats ignored?
The interpretation of the government figures is supported by an ISACA report [iii] also suggesting widespread under-reporting of cyber incidents. It prompts an important question: why are businesses keeping quiet about security breaches? To understand this, we need to appreciate the relationship between business structures, cybersecurity and the wider economic landscape.
One possibility is that executives may not be aware that an issue exists. End users are frequently targeted by cyberattacks, but they try to hide any mistakes, and do not understand the full implications of an incident. According to the government statistics, only 14% of UK businesses held training or awareness-raising events for staff in 2021. Other data shows that up to 20 per cent of businesses have never trained their staff in cybersecurity at all. [iv]
This is compounded by the increase in work-from-home over the last few years.[v] There are concerns that staff will avoid reporting potential security incidents either through fear of repercussions or due to a lack of clarity on whom to report to. There can also be an issue of confidence in management; in the US, only 14% of government workers feel they can explain security issues to their superiors and be understood. [vi]
In cases where management is aware of a security incident but fails to act, it would be easy to ascribe this to simple negligence. The reality is likely to be more complex. In a post-GDPR world, any business faces heavy penalties for knowingly ignoring a vulnerability or active breach, so an executive may choose to not know about the incident to be able to ignore it. Furthermore, smaller businesses are less likely to be able to devote internal resources to vulnerability management without external compliance support from experts like CyberGuard’s SOC team. [vii] Regulators may create a double-edged sword that contributes to a culture of fear, motivating business owners to conceal security issues.
Another possibility is complications arising from the supply chain. [viii] Small and medium-sized enterprises are already faced with extensive difficulties related to supply-chain security. A provider’s failure to disclose, or even be aware of, a security risk passes that risk forward on the supply chain.
Smaller business owners may also be faced with difficult decisions if a service provider discloses a security risk privately; even if the provider is acting irresponsibly, taking public action to remediate the issue could jeopardise an otherwise beneficial working relationship. Even more difficult is the issue of open-source components; 90pc of IT leaders make use of open-source components, and 79pc expect to use even more over 2022 and 2023. There is no chain of communication or centralised channel of vulnerability reporting for these components. [ix]
Structural issues
Businesses can also face extensive difficulties with internal communication. Where security issues are concerned, “There is only one thing in life worse than being talked about, and that is not being talked about.” [x] However, many SMEs don’t have a clear outline of how to talk about or act on breaches and vulnerabilities – only 33pc of organisations in the UK have a written cybersecurity policy according to government statistics. This can cause severe delays when a critical vulnerability is found – every layer of the organisation is left guessing at who does or does not need to be informed before action is taken. The process can easily devolve into questions of responsibility rather than remediation.
Just 10% of UK small businesses have a dedicated IT role to take that responsibility. Even in larger enterprises, only 21pc of those responsible for incident response hold senior IT roles. The responsibility is usually placed on other executives or people with less overall authority within the IT department [government statistics again]. In those businesses that have created a CISO role, the CISO usually reports to the CIO, and only 12pc of CISOs have equal seniority within the business. Acting on a security incident needs communication and coordination between both these roles and the owner or CEO, but misinterpretations of authority and responsibility can lead to delays in resolving issues.
Automated user security monitoring can solve many of these problems, but can be difficult to deploy and integrate. In the UK, monitoring tools were used by fewer businesses in 2021 than in 2020, with under a third of organisations monitoring their users’ activity for security issues. This is likely due to the increase in hybrid workspaces and work-from-home policies during Covid – thorough monitoring of employee activity at home would be both intrusive and much more expensive than in-office monitoring.
What is needed
All business faces one crucial difficulty: cybersecurity is not their primary purpose. All business needs strong cybersecurity, but it is incidental to producing goods or providing services and making profit. For SMEs and fledgeling organisations, creating, integrating and maintaining an extensive IT department with consistent incident reporting is unsustainable.
The solution to the problem of under-reported cyber issues is clear but not simple: staff need to be given thorough cybersecurity training and a clear pathway for reporting incidents to management. Organisational authority and responsibility for cyber-risks needs to be formally clarified and a written cybersecurity policy put in place. Management must be ruthless in maintaining their own organisation’s cybersecurity, even if it means harming supply-chain relationships.
To do even one of these things is extremely difficult for a small or medium enterprise; trying to resolve this issue completely can be crippling. There is no guidance or precedent for most business-owners to learn from, since creating a strong workplace security culture and eliminating communication bottlenecks depends on the unique structure, needs and operating procedure of each individual business. These are the exact difficulties that the NHS Birmingham Community Healthcare Trust struggled with in 2020 – with a wide dispersal of workers in terms of both physical location and specialisation, a lack of internal cybersecurity expertise and too few resources to recruit cyber experts. The Trust was struggling with both known and unknown security issues. [xi]
The solution was to partner with an external service provider: CyberGuard Technologies enabled this NHS trust to draw on dedicated security expertise and support, allowing the internal IT department to focus on providing support to doctors and caregivers while being assured of a pro-active approach to emerging cyber threats. CyberGuard’s Enterprise Cyber Security Services go further than most security service-providers, working with their partner organisations at a structural level, creating an in-depth plan for moving forward with confidence. [xii]
[i] https://www.redseal.net/files/PDFs/RedSeal%20UK%20B2B%20Research%20SUMMARY_July2019.pdf
[ii] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021/cyber-security-breaches-survey-2021
[iii] https://www.isaca.org/why-isaca/about-us/newsroom/press-releases/2019/new-study-reveals-cybercrime-may-be-widely-underreported-even-when-laws-mandate-disclosure
[iv] https://www.hrreview.co.uk/hr-news/cyber-security-training/139844
[v] https://www.bbc.co.uk/news/business-55824139
[vi] https://www.cpomagazine.com/cyber-security/report-shows-appalling-state-of-employee-awareness-of-common-cyber-security-risks/
[vii] https://www.ogl.co.uk/vulnerability-management
[viii] https://www.ogl.co.uk/where-does-the-sme-fit-into-a-supply-chain-atta
[ix] https://www.redhat.com/en/enterprise-open-source-report/2021
[x] https://www.brainyquote.com/quotes/oscar_wilde_128481
[xi] https://www.ogl.co.uk/bchc
[xii] https://www.ogl.co.uk/cyber-security
