Marc Barrachin, managing director of New Product Development at S&P Global Market Intelligence, and Algirde Pipikaite, project lead of Industry Solutions at the Centre for Cybersecurity, World Economic Forum, renewed calls for a global standard for reporting cyberattacks in a Nov. 6 Harvard Busines Review article.
In their article, the authors argue that cyberattacks are one of the top global risks and say the main challenge in managing cybersecurity is the data gap.
“Very little cyber data is broadly available, making it difficult to objectively evaluate the potential impact of incidents,” the authors wrote. “Through our work with stakeholders across regions and industries, we propose an approach to identifying what to measure, how to capture the required data, and how to make it useful.”
To improve cybersecurity, the authors make their case for why sharing information across organizations and regions should be improved and the importance of compliance.
“Information is power and, in cybersecurity, it’s the power to prevent other similar events,” Barrachin and Pipikaite said. “If a breach occurs in one organization, we can be reasonably confident that the same malicious tactic will be used on another organization in the near future. If the data about that first known breach is made available, other organizations can prepare themselves and ensure that the same vulnerability is not used against them.”
On top of helping similar organizations defend against similar attacks, improved information sharing benefits regulators and law enforcement by allowing them to “objectively manage incentives to guide corporate cybersecurity governance, data gathering, and information sharing.”
In order to figure out what exactly should be shared and measured when it comes to cyberattacks, the authors call for “a standard taxonomy of cyber events”
They said the taxonomy should include:
- “Dates relevant to the incident (when it occurred, when it was initially detected, when it was reported)
- Type of incident (breach, malware, distributed denial of service [DDoS], etc.)
- Size of impact on financial results or ability to conduct business
- Type of impact (data breach, financial loss, operational, legal, reputational, intellectual property, etc.)
- [A] method used to access the network or data (phishing, ransomware, virus, zero-days exploitation, etc.)
- How the incident was resolved (patch, update firewall configuration or software, etc.) and cost of the resolution”
The article acknowledges that organizations may be hesitant to share information about their attack publicly, for fear of disclosing vulnerabilities, as well as reputational or financial damage. To that end, the authors say that it is important to guarantee anonymity to organizations that report cyber incidents. However, the do argue that “in order to make the cyber breach data relevant, each incident should be tagged to firmographics, such as the organization’s industry type, range of revenue, number of employees, geographic footprint, so that organizations with similar profiles can identify potential threats and impact.”
The article also addresses the role regulators play in staving off cyberattacks. “[M]ost regulators aren’t asking for the right kinds of information to be useful if shared,” Barrachin and Pipikaite wrote. “The U.S. Securities and Exchange Commission, for example, requires publicly traded companies to disclose their cyber risk exposure, but doesn’t demand the specific kinds of data we describe above. Thus, it’s not surprising that most companies simply offer a boilerplate legal disclaimer that gives no insight into exposure or preparedness.”
To ensure that needed data is reported, the authors call for a public-private partnership that will give impacted organizations the operational support needed to monitor their security and share information via “a trusted resource.”