When a cyber-attack occurs, many companies turn their attention not only to those who steal data but another, equally fearsome enemy: competitors who could benefit from the exposure of their innermost secrets.
As much as large enterprises may share many of the common risks and vulnerabilities from an IT perspective, they are naturally reluctant to work as a team to combat data breaches and DDoS attacks as a group. That’s why one of the announcements that came out of last week’s cyber-security summit convened by the U.S. government was so controversial: Barack Obama essentially gave private sector organizations a direct order to start the equivalent of a neighbourhood watch program to fend of digital intruders.
In an executive order that was signed just before Valentine’s Day, the White House identifies best practices and standards for what constitutes optimal information-sharing units or “hubs” within vertical industries, and measures the effectiveness of communication. The idea is that the hubs would not only alert each other when one of them is hit by a cyber-attack but that they could routinely work to prevent the worst incidents and, if nothing else, stop the damage from spreading too far when they do. Some of these hubs are apparently already established.
“We’re not going to solve all of the really sophisticated actors or defeat all the advanced persistent threats just by increasing information sharing,” J. Michael Daniel, cyber-security coordinator at the White House, admitted to eWEEK. “But we have seen industries that have increased their information sharing—such as in the financial services industry—and that does make a meaningful difference in being able to cut out a lot of the low-level attacks and intrusions. When you do that, then you can focus your humans on the more sophisticated intruders. I see this as a sort of baseline for us just to stay in the game.”
If that’s true, what’s Canada’s baseline? Although we certainly have a number of industry associations, and while I’m sure our financial services sector has similar relationships in place, I imagine many of our firms in other areas are as isolated as those south of the border. Yet data breach notification remains a contentious issue here, with potential legislation still in limbo. I’ve talked to several lawyers recently who all say concerns about information protection are at an all-time high, but that they struggle with the best ways to stay on top of all the various threats.
Creating and maintaining data security hubs will not be easy, but even if the U.S. is only partially successful, it seems inevitable that organizations here should follow suit. In fact, given how many multinational firms have offices here, the pressure to be a part of such hubs may come sooner rather than later. Canadians sometimes seem averse to copying an American approach, but this is one case where it might make sense. No matter how long-standing the rivalries between certain organizations for customers, profits and more, the rise in IT security threats mean we’re all on the same side. It may be time to start acting like it.