Imagine that you log in to your computer and suddenly spot something weird. For example, you notice a bunch of sent emails to unknown addressees which went out from your email address. Does it mean that you are under attack? And if so, what are you going to do about this? Whom do you call? We have conducted a series of questionnaires with representative samples of the US, UK, and German population and discovered a very alarming trend. It turns out that the majority of people often do not even realize they have experienced an attack.
Specifically, using a sample of 1234 people from the USA (450 individuals), UK (450 individuals), and Germany (334 individuals), we first asked them a very simple question: “Have you been a victim of a cyberattack in the last 12 months?” If a respondent replied “Yes” to that question, we would ask them to briefly describe the event. If they answered “No”, we would ask the respondents a series of questions to test whether they could have been subjected to an adversarial action without their knowledge. In our survey, 28% of US, 27% of British, and 29% of German respondents said they had been a victim of a cyberattack. So, over 70% of individuals from each country reported that they had not experienced a cyberattack in response to our direct question. Yet, in the subsequent questionnaire, it became obvious that the majority of those who replied “No” to our first question (equating to over half in each country) actually were victims of some type of an attack without realizing it. Furthermore, over 55% of people in all countries did not know whom to call and where to report cybersecurity issues; and about 30% in each country said they would first call their Internet provider, irrespective of the issue.
Unfortunately, the situation with businesses is not a lot better. We have recently been in contact with a company where a CEO noticed that several things had gone wrong with his laptop login. He did not pay much attention to this and simply recounted the story about the problem as an anecdote to his friend, who happened to be a police officer. Luckily, this friend advised the CEO in question to call cyber police unit asap, and they helped the company to uncover a major cybersecurity threat and prevent a cyberattack. Though this story ended well, it is very characteristic of the current state of affairs in the private sector. Even when an attack or potential start of an attack is spotted, businesses often do not know how to react and whom to call.
While businesses often face attacks individually and can only count on their own expertise and resources when dealing with a threat, adversaries work collaboratively. This stems from the fact that adversaries have a common goal while going after the digital valuables of certain actors, whereas businesses have competing goals, or at least perceive their goals to be competing, when operating in cyber spaces. Businesses also often operate proprietary technological systems, while cybercriminals openly share technological know-how and intellectual property. Even when businesses share technological tools or human-centered methodologies, they do so within a circle of partners, whereas adversaries operate in a multisided market environment where they share information, expertise, and where any actor, no matter how small or insignificant, can get in direct contact with any other actor (even when that actor is large and powerful). In the business world, innovations are subject to ownership and patenting, while adversaries effectively share innovations.
While cybersecurity expertise is often outsourced when we talk about businesses, adversaries are often in possession of unique (“elite”) skillsets which allow them to directly engage in attacks at different levels. Cybersecurity operations within businesses are either outsourced or centralized, dependent on the level of technological and strategical maturity of the business. At the same time, adversaries often operate decentralized systems (centralized operations are also possible when we talk about organized criminal groups). Also, while the average level of technical and attack-recognition training in businesses is very limited, most adversaries have an advanced understanding of the field.
Academic research shows that the main reason fuelling deficiencies in information sharing and communication is a common view among the business community that barriers of information sharing outweigh its benefits. Usually, eight groups of barriers are identified:
Legal barriers are associated with potential disclosure of private information.
Technological barriers reflect a lack of synergies and comparability between sharing the systems of different businesses.
Informational barriers include the availability of excessive, irrelevant, or even misleading information.
Collaborative barriers refer to a lack of trust between businesses
Managerial barriers comprise risk aversion due to concerns of being potentially subjected to uncontrolled risk, disagreement about trusted channels through which information should be accumulated and shared, etc.
Organizational barriers reflect a lack of operational capability and, sometimes, a lack of expertise to process cybersecurity information.
Performance barriers are associated with the potential reputational costs and loss of profit should undesirable information surface in the public domain;
Cost barriers are the associated investment needed to increase information-processing capabilities and create the systems associated with them.
At a business-to-consumer level, communication and information sharing fails primarily due to business inability to effectively deliver information to the targeted audiences. In circumstances where the overwhelming majority of attacks start with a phishing email, it is very important to equip customers with useful information, allowing them to spot cybersecurity threats. Many businesses devise information campaigns to warn their customers of potential risks. However, like any social marketing campaigns, they are “one-size-fts-all” tools. Yet, we know that people have a different propensity to detect cybersecurity risks and engage in risky activities in cyberspace. Within businesses, we often observe either (i) no investment in cybersecurity training or (ii) the supply of too much “one-size-fts-all” information to staff about cybersecurity issues. The former is equivalent to buying the best defense systems to fight the war but not training the population to use those systems. The latter is equivalent to providing the same information about flu to a highly anxious, nervous person and a laid-back person. Clearly, both of these strategies are suboptimal.
At business-to-business and business-to-regulator levels, the information- sharing channels are also broken, although recently the trend towards establishing better systems of communication has started to pick up in many industries. For example, the MISP platform positions itself as “a threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information,” and seems to be making steps in the right direction. There are also interesting moves in the same direction within particular industries where businesses understand that if a particular threat hits their competitor today, it might hit them tomorrow as well. Yet, again, very often information sharing within industries happens among a circle of partner organizations, fuelled by trusted personal relationships between CEOs, CIOs, and cybersecurity architects, rather than within an open and multisided platform.