As kids we’re taught to share our toys. It’s a hard lesson to “get.”
When it comes to cybersecurity and information sharing, many still don’t “get” it. Liability concerns, competitive disadvantages, and so on. But even if some of these concerns are legitimate, this lesson really shouldn’t be so hard.
According to the latest Verizon DBIR, while compromises are happening faster, the time to discover the compromise is taking longer than in previous years. We can combat this challenge through the use of sound threat intelligence and sharing among “friends.” Through intel you can be more prepared in advance of an attack, reducing the amount of incidents you need to respond to.
Many are trying to address this sharing problem — hence the creation of Information Sharing and Analysis Centers, aka ISACs. There are a boatload of ’em — 18 listed on Wikipedia’s page on ISACs. Each of these ISACs is specific to an industry, so in theory there is relevancy built in to the information that is shared. The intent of these ISACs is sound, and there are many good people working to make these ISACs really useful. But they have their limits as well. We all have businesses to run and support after all.
So how do we take the ISAC concept up a notch, where the intel being shared is more than relevant, but SPECIFIC to your business? Privatize the ISAC to fit your own business ecosystem. This means pulling in your partners and suppliers. You should already be sharing information with them anyway, just include cyber as part of it.
Whether you are a big, medium or small business, most likely you have partners and suppliers that are an extension of your cyber footprint. They typically have some level of access to to your network, applications and data. Having these intersecting points allows business to run more efficiently. But with these intersections comes risk. A company’s suppliers are often integral to their business — I need X and Y to fulfill Z, and X comes from a supplier. Suppliers that don’t pay enough attention to security ultimately can cause a very direct and painful impact on your business (Target is the obvious supply chain cyber example used often, but there are plenty more where that came from).
As opposed to sharing information with folks you don’t know (and let’s be honest, how much do you want to really expose to a wider audience not within your control?), your own supply chain is, for all intents and purposes, just an extension of your own enterprise. It only makes sense that your security “umbrella” should extend out a bit over them as well.
As such, sharing info, analysis and expertise within your “extended family” can be very valuable to establishing the kind of early warning system that is the promise of cyber information sharing to begin with — and without most of the risks.
Sharing threat intelligence, risk identification and other analysis with your partners helps you help yourself. Cybercriminals work together and share information all the time in Dark Web forums and even sometimes out in the open.
Sharing is caring. And the group of folks that you will get the most value out of sharing cyber threat intelligence with are the companies in your supply chain.