Let's Normalize 'Radical Transparency' Around Data Breaches

Written by

Data breaches are now widely accepted as an inevitability; it’s not a question of ‘if’ but ‘when’ a company will fall victim to a cyber-attack. The professionalization of cybercrime has reached a dangerous high. Organizations now face a quickly adapting dark economy which has seen cybercrime-as-a-service become common business practice. Combined with the broadening IT landscape and the proliferation of hybrid work, cyber-criminals have more opportunities and methods of conducting cyber-attacks than ever before. 

While there’s no simple way to prevent every breach from occurring since hackers will always find new ways into the systems, there are markedly different ways in which leaders can mitigate the impact of these incidents when they do and create a stronger internal cybersecurity culture in the process: it all starts with how leaders communicate in the immediate aftermath – both internally and externally.  

Embracing Transparency Should be the Norm 

Consider the story of two tech giants, two huge data breaches and two very different approaches to dealing with them. In October, Uber’s ex-CSO was found guilty of concealing a data breach that occurred in 2016 – Joe Sullivan told a subordinate that information about the breach needed to be “tightly controlled” and that the public story was to be that “this investigation does not exist.”  

Dropbox also recently fell victim to a phishing attack, but tackled it in a very different way; the company released a detailed statement about what had happened, how it had been dealt with and what it would mean for customers. There was no secrecy, covering-up, finger-pointing or downplaying of the severity of what had occurred. Dropbox’s communication was radically transparent – and the company has set the precedent for a new chapter in how big tech companies talk about cybersecurity.   

Radical transparency’ refers to an organizational culture of complete openness with colleagues, customers, vendors, suppliers and partners. But radical transparency goes beyond just disclosing information when it’s necessary – it means proactively sharing important information, even when it might feel uncomfortable to do.  

In the context of cybersecurity, radical transparency can empower everyone within an organization to come forward when an attack occurs, which can help limit damage from the breach itself, help teams learn from past errors and become better at spotting and reacting to future threats – all basics of “incidental learning,” which is a theory from learning psychology also used in phishing simulations. Leaders need to follow the example Dropbox has set with this data breach, not only to benefit their own image but also to help change the culture of blame and finger-pointing that is so prominent in the rest of the industry. This will help to increase awareness of the topic both within an organization as well as impacting attitudes and perceptions in broader society. 

The Role of Radical Transparency for Security Awareness 

Security awareness is all about strengthening digital self-defense and enabling humans to spot cyber-threats and react accordingly. Talking about cyber incidents is one component of a fully comprehensive security culture in organizations which can help raise awareness for this topic – especially as a starting point to understand cybersecurity as a topic affecting us all. 

Our recent data shows that security awareness is still worryingly low in general, with younger employees most vulnerable. In the current culture of fear surrounding cyber-attacks, these junior employees are far less likely to come forward if they believe they will face punishment or humiliation when they do. Seeing leaders normalizing open and honest discussion of these issues can give employees the confidence that they are not alone and will be supported – not blamed. 

Proactive communication can enable companies to maintain a degree of control over the narrative and reporting of a breach in the media. Radical transparency limits the risks of reputational damage if a company is revealed to have tried to bury news of an attack or deny it even happened (as Uber did). Being forced to disclose a hack or data breach only after it’s been discovered by a third party can be devastating for public perception and trust.  

Shifting blame away from individual employees and being proactive in talking about cyber-attacks from the senior leadership level down could solve some major cultural challenges currently faced in cybersecurity.  

This helps demonstrate that the human factor in cybersecurity cannot be understated. The fact that most cyber-attacks start as a result of the human factor outlines the importance of an open and collaborative security culture which aims to support and motivate employees to practice safe cybersecurity routines. 

It’s crucial that leaders change their current mindsets around cybersecurity and set a better example for both senior peers and employees. Following Dropbox’s example and owning up to cybersecurity vulnerabilities will help organizations create and nurture a stronger, more human-centric security culture.  

What’s hot on Infosecurity Magazine?