Companies are usually tight-lipped about their cybersecurity practices. A new study suggests that greater transparency could prod them to improve threat prevention.
More transparency, not less, is the trend within the enterprise in nearly all facets of business—except cybersecurity. Case in point: Only 17 percent of companies make public the results of regular audits of security policies and systems, according to a recent report by the Principles for Responsible Investment Association. What’s more, when reports of real threats emerge, even highly scrutinized powerhouses like Google allegedly try to cover up security vulnerabilities without alerting users until it’s too late.
It’s no surprise that companies chafe at revealing their cybersecurity practices. For one, they don’t want to raise concerns among users that their data may be at risk. For another, no company wants to advertise that it is engaged in a constant struggle to combat a barrage of increasingly sophisticated and stealthy cyber-threats.
But would cybersecurity actually improve if more businesses were transparent about their challenges? What if they shared their goals for and progress toward improvement, just as they might if they were reporting on, say, their efforts to reduce greenhouse gas emissions? A recent study from the University of British Columbia’s (UBC) Sauder School of Business says yes.
The Positive Power of Public Pressure
Researchers at the Sauder School recently quantified the security levels of more than 1,200 companies in China, Hong Kong, Macau, Malaysia, Singapore and Taiwan. They gave each firm a security score, similar to a Moody’s or Standard & Poor’s credit rating. They based these scores on an evaluation of each company’s preparedness against two security issues: spam emails and phishing website hosting.
According to the study’s co-author Gene Moo Lee, publicizing firms’ security levels not only leads to greater transparency, but could also help to strengthen companies’ security protections over time. By making the public aware of poor performance, a company could face increased pressure from customers to improve its practices, for example.
“One thing we wanted to achieve with the study is to show consumers how their providers are handling security,” Lee says. “Creating peer pressure was another goal of the research. We expected it would create some dynamics once companies knew their score and that of their competitors.”
Research proved this prediction correct: Firms were indeed more likely to fix issues related to spam emails originating from their compromised computers. Lee says the decrease in spam emissions from the companies they scored “decreased dramatically.”
For Better Security, Be Proactive
Matthew Barrett, program manager for the National Institute of Standards and Technology Cybersecurity Framework, a voluntary group of best practices for businesses to manage cybersecurity risks, says the growing number and size of data breaches in recent years has put more companies under pressure to be transparent about how they are managing cybersecurity.
“It’s in everybody’s consciousness. Awareness is naturally driving improvement and attentiveness in the space,” Barrett says. But before public pressure ramps up because a breach comes to light, companies must be proactive about transparency, he says. He suggests letting consumers know they have built security into new products from the outset, and are improving security of existing products.
One impediment to transparency may arise if companies collaborate with third-party vendors whose own practices are murky.
As George Johnson, vice president and chief security officer of cybersecurity solutions firm NC4, explains in a recent Bloomberg podcast with Mike Walker, “Companies and developers don’t truly understand all the third-party components they put into a finished product. You should know what is in there, have some assurance that it is well written, and try to know who wrote it and how seriously they took security.”
Companies cannot take it on faith that vendors are deploying best practices. “Security cannot and will not emerge if the components are weak and the processes do not identify them,” Johnson emphasizes.
Real Transparency Takes Long-Term Commitment
Though Lee and Barrett are both optimistic that increased transparency can improve cybersecurity after weaknesses are reported, it’s essential that companies start holding themselves accountable, regardless of public and peer pressure.
Lee’s Pan-Asian study, for example, built on a similar experiment involving U.S. companies a few years ago. After those results emerged, Lee says many of the companies involved stepped up their cybersecurity practices—but eventually slipped back into their old practices.
“We found that once we stopped sharing updates with them about their cybersecurity, they went back to their normal state,” Lee says.
For transparency to make a meaningful difference in cybersecurity, companies need to continue to monitor themselves and report their findings—no matter how unsavory they might be. Experts agree that it’s the only way to keep improving risk prevention and maintain the trust of their customers.