Companies resist mandatory disclosure, cybersecurity suffers
By Benjamin Cher September 1, 2015
- Industry should spearhead breach disclosures and info-sharing, says panel
- Security industry itself should take the lead to show by example
BOTH Malaysia and Singapore have passed personal data protection laws in recent years, and yet neither country has made it mandatory for companies to disclose if personal data has been compromised.
Companies are still wary about sharing breach information, fearing a loss of customer confidence and trust, as well as damage to their reputation.
The challenge with making disclosure mandatory is pushback from the companies, according to Foo Siang-Tse, senior vice president at e-Cop, a business unit of Certis Cisco’s Cyber Security Group. Certis Cisco itself is a sanctioned commercial auxiliary police force in Singapore.
“The industry lobby is very strong,” Foo said during a panel discussion at the CloudSec 2015 security conference organised by Trend Micro Inc in Singapore recently.
READ ALSO: Public sector increasingly targeted: Trend Micro Q2 2015 roundup
However, Rik Ferguson, vice president of security research at Trend Micro, argued that companies have little to fear in sharing such information.
“The breaches that happened in the United States and Europe have involved big banks and consumer brands – in almost every case, their share prices have gone up afterwards,” he declared.
“The brand damage doesn’t seem to happen and you can support this with evidence,” he added.
Ferguson said he believes that disclosure and sharing from a ‘sectorial approach’ would work in promoting such concepts among businesses.
“It would make sense to do it sector by sector because you can [always] find one sector which is more receptive,” he said.
“It can be a great proof-of-concept to get buy-in from the other sectors,” he added.
Rod Stuhlmuller, senior director of product marketing at cloud and virtualisation company VMware Inc, argued that it was more than just about disclosure.
“It’s not really about disclosure but more about risk mitigation,” he said.
“If they [companies] can reduce risk while reducing operational costs and without losing budgets, they would be all for that,” he added.
Aloysius Cheang, Asia Pacific managing director at Cloud Security Alliance, however said that disclosure has to be industry-led and not government-legislated.
The Cloud Security Alliance is a global organisation dedicated to defining and raising awareness of best practices in securing cloud environments.
“We think that the best way to help disclosure is through self-regulation and industry-led efforts to establish common best practices,” Cheang said.
“What we are trying to do is a self-help initiative for companies,” he added.
Building communities, fighting fire
When asked about how the security industry can help build or foster information-sharing within industries, Ferguson said it has to be by way of example.
“I think our best chance is to try lead by example – we talk to each other and share data rapidly and regularly, it is not an ad hoc thing,” he said.
While the financial services industry has been leading the charge in sharing information, with the FS-ISAC (Financial Services Information Sharing and Analysis Centre), Ferguson sees the healthcare industry coming on board as well.
“Because healthcare is such a big target right now, [healthcare players] are beginning to have their own information-sharing communities,” he said.
Ferguson said that working closely with Cyber Incident Sharing Centres (CISCs) is key to getting companies within a sector to share information.
“Because it’s the CISCs which will be able to lead that effort to lead that effort to bring communities together and foster that attitude of collaboration,” he added.
However, the Cloud Security Alliance’s Cheang believes that with the Internet shrinking the world into a global village, the problem of security being only as strong as the weakest link is even more evident.
“There’s also the issue within industry – my understanding is that some people still rely on the good old-fashioned way of picking up the phone and calling each other,” he said.
This means that there is no sharing within the greater community in any industry, he argued. “It’s a simple, completely detached sharing of information.”
“The security community doesn’t really share, it’s not in our nature to share – it’s the ‘Black Hat’ community that shares,” he added, referring to malicious hackers.
However, Trend Micro’s Ferguson denied this. “We have a lot of formal mechanisms in place between security vendors to make sure we share IP (Internet Protocol) addresses, threat vectors and attack information.”
For its part, Stuhlmuller said that VMware sponsors events where only customers are present, to encourage them to share information.
“They share information on what’s working for them in security, what’s not, what they’re doing, and what they’re seeing,” he said.
“We sponsor these events to foster that kind of sharing,” he added.
While information sharing can help prevent attacks, Ferguson brought up the important point that these efforts should ultimately lead to the arrest of criminals.
“There are and will be instances where you shouldn’t share information when you are aware an attack is taking place, because it’s part of an on-going law enforcement investigation,” he said.
“If you alert criminals, they will get away,” he added.
There is a trade-off, Ferguson said, as investigations would require that information remain under wraps to secure enough evidence – but sharing it will allow everyone else to secure themselves against such attacks.
“The only thing in the long term that disrupts online crime is arresting criminals and not taking down infrastructure,” he said.
Related Stories:
The threat landscape runneth over, here’s what we need to do
Security weaknesses must be shared openly: Facebook CSO
Privacy laws: Why we have them, and who benefits
HITB: An ecosystem of disruptions and dependencies
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.