Cyber-attackers occupy a dark, secretive, online world, but the corporate figures fighting-off these virtual bad guys can be equally clandestine.
During the research for our report on information risk, we came up against a code of silence among some CIOs, CISOs and other security professionals, almost worthy of a mafia-style omertà—some would not speak openly to us, insisting on anonymity, non-affiliation or only talking in vague generalities, others would refuse to engage at all.
The reasons for being tight-lipped are evident. Publishing specific details about hacks will highlight weak spots, or at least point to where most attention or resources are being deployed. Even talking about cyber-attacks can attract more attention from cyber-attackers.
A big no-no is to display any form of swagger when talking about defences. Cyber attackers, it seems, must be treated a bit like the Queen—with a generous serving of humility and respect. (Certainly don’t turn your back on them!)
Our new report encourages companies to be more open with each other about attacks, in the interests of managing risks to their information more effectively, so it seems only fair that we also play ball. The Economist Group is in the business of information, after all.
To their credit, our in-house information security team has been happy to talk—if at times a bit careful or hesitant with their responses. Talking openly about these risks and incidents ultimately raises awareness among staff, they say, which helps them do their job.
The importance of this “human firewall” is why some organisations dedicate the whole of October to raising the profile of cyber security internally, as part of “cyber security awareness month”.
Inside job
Employee awareness at The Economist Group is on the up, confirms the team, although the metric they use to measure this success seems contradictory at first: we have already experienced three times as many incidents this year compared to all of 2012.
The reasons for this are two-fold. Firstly, there is a general increase in the level of cyber-crime. Secondly—and more significantly—raised awareness levels mean that employees are reporting more instances of sketchy activity to the information security team.
This raised awareness goes right to the top. A few days before The Economist newspaper went to press with a picture of Assad of Syria on the cover, the editor sent the security team a heads-up, giving them time to “button-up” our own defences, including prepping journalists involved in the story and alerting service providers to expect increased activity.
(A regular torrent of hate mail from angry readers also helps raise the editor’s awareness—only now the Disgusted of Tunbridge Wells may include hactivists, who can attempt to bring down the website using a DDoS (denial of service) attack.)
Nothing happened immediately after the Assad front cover, but a few weeks later the team suspected an unsuccessful attempt by the Syrian Electronic Army.
Hidden costs
The elevated number of incidents in 2013, mentioned above, equates to around 50 incidents in total, three of which have been significant enough to report up to senior management. One involved an insider, another hactivism; neither is up for discussion.
The third incident is the only one we can talk semi-openly about (up to now, incidents have not been disclosed internally, but discussions about doing so are currently taking place).
Earlier this year, the team noticed an irregular number of failed attempts to log into the website. Further investigation revealed that the same person was repeatedly trying different username and password combinations from multiple sources.
It is difficult, apparently, to be sure about the exact nature of this ultimately unsuccessful incident. But given the small number of attempts per username, the team suspects an opportunist was using a list of stolen usernames and passwords, published after a successful attack, such as the Adobe hack. Essentially, a cyber-chancer applying stolen data to every other website they can think of to see what data-goodies they can get hold of.
Increased employee awareness helps limit the success of such attacks—in monetary terms the damage is in the thousands of pounds. Still, it is not without its downsides. More incidents come at an “opportunity cost” to the team: spending 75% of their collective time on incident management this year, compared to 25% last year, means less time for developing the overall security program.
Opening the kimono
At the beginning of December, the head of our information security team will be talking about all of these experiences with fellow CISOs. The secret summit, held at a 5 star hotel in central London, is closed-door, invitation only.
Opportunities to share information in this way are welcomed. All of the Economist team, on both sides of the Atlantic, attest to the benefits of being members of various media groups. The likes of The New York Times, NBC and CBS gather in New York, while the BBC, FT and others get together in London.
Greater public disclosure, however, is less straightforward. At the moment, there is a disincentive to notifying the regulator of a data breach, since the “reward” for doing so is often a fine (although as a private company, The Economist Group doesn’t technically fall within the rules).
In the US, where the SEC requires public companies to disclose material breaches, there are several entrepreneurial fellows who publish this collated information, sparing busy cyber-attackers the chore of having to trawl through wordy corporate disclosure documentation on the SEC’s website.
Until these types of issues are resolved, any rule change requiring mandatory disclosure should be anonymous and aggregated, says the team. Raising awareness is one thing but they are not yet prepared to come completely in from the cold.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the views of The Economist Intelligence Unit Limited (EIU) or any other member of The Economist Group. The Economist Group (including the EIU) cannot accept any responsibility or liability for reliance by any person on this article or any of the information, opinions or conclusions set out in the article.