identity & security

Cybersecurity Shouldn’t Be a Secret: Why Transparency Matters

We offer three tactics to create a more open and secure company — for your colleagues and end users.

->Two people shaking hands in office environment<-

Image via Pexels

Cybersecurity can be a black box. If you aren’t a software engineer, it’s almost impossible to figure out what’s happening behind the scenes to reduce threats and protect data.

And even if you are an expert, the multitude of changes, threats, and solutions can be dizzying.

None of this is helped by the fact that most companies choose to remain tight-lipped about what cybersecurity measures they have in place. In some ways, that makes sense: publicizing too much about your efforts could decrease your competitive edge and make you vulnerable to more attacks.

On the other hand, an intense level of secrecy about cybersecurity can be crippling. Knowledge-sharing throughout the industry is limited, and your customers can feel as though they’re left in the dark about what’s being done to protect their private information.

As a result, certain companies are opting to increase their transparency and disclose their cybersecurity practices. This piece will highlight the main drivers of change — and offer concrete solutions for business leaders to clarify their cybersecurity practices in a valuable manner.

A Growing Push for Transparency

Pioneering regulations, as well as thoughtful business leaders, are catalyzing transparency initiatives.

In February 2018, for example, the U.S. Securities and Exchange Commission published an update to their 2011 cybersecurity statement. The update states that all publicly traded companies must "take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion." In addition, the National Conference of State Legislatures reports that at least 24 different states have introduced laws related to the data security practices of private companies.

In the UK, the National Cyber Security Centre (NCSC) is pushing for “more openness and demystification” around cybersecurity practices. This encompasses the work that the NCSC does with EU multinational companies.

For all companies that handle the data of EU citizens, regardless of their physical location, GDPR requires controllers to communicate about their data processing methods in “transparent, intelligible and easily accessible form, using clear and plain language.”

Along with these external pressures, leaders within organizations are pushing for change. Microsoft’s Cybersecurity Field CTO Diana Kelley is developing the company's Trust Center, which clearly articulates for customers how Microsoft uses and secures their information. Microsoft shares its progress on data security at an annual meetup with peers like IBM, Netflix, and Facebook.

As national and global regulations — as well as peer pressure — heat up, it's imperative for teams to have a plan in place for intelligently sharing their cybersecurity practices.

3 Ways You Can Increase Your Team's Transparency (and Bolster Your Security)

While a handful of teams are vocal and forthcoming about cybersecurity measures, it still isn’t second nature for many. Here are three ways to increase your own transparency and bridge those trust gaps inside and outside your organization.

1. STRENGTHEN EMPLOYEE TRAINING.

->Board meeting and presentation in office environment<-

Image via Pexels

Remember, not everybody within your organization is a cybersecurity expert. According to the University of Phoenix, just 10% of U.S. adults are familiar with common cybersecurity job titles (e.g., penetration tester or chief information security officer). 52% of the survey’s respondents had never even heard of the titles.

True transparency isn’t just about giving people information; it’s also about ensuring that they understand it. Internally, you need to invest in thorough training across all departments so that employees are fully aware of what to watch out for and how to protect themselves.

While your colleagues are your greatest assets, they can also be your biggest liabilities when it comes to cybersecurity. In 2018, a Positive Technologies study of 3,332 employees found that 27% of participants clicked on test emails with phishing links. With the 2018 cost of a data breach on the rise — ticking in at $3.68 million (up 6.4% from 2017) — it’s critical that everyone on your team recognizes threats and has resources to immediately report incidents.

2. DEVELOP A DETAILED PROCESS FOR HOW YOU'LL DISCLOSE BREACHES.

Nobody likes to dwell on cybersecurity incidents actually happening, but it’s essential that you have a process in place for how and when you’ll disclose a breach if it does occur. Ironing out this process now allows you to be more proactive and move forward in a timely manner. In particular, if you handle the data of EU citizens, you have just 72 hours to report a breach, according to GDPR's new deadline.

Timing can be a delicate balancing act. While you don’t want to act too quickly and disclose a breach before you have all of the necessary details, waiting too long to make the event known can expose you to criticism. Public trust in T-Mobile, Equifax, and the German government(to name a few) declined following delayed disclosure of data exposures.

If you don’t already have clear protocols for disclosure, it’s time to create them. Consider including:

  • A deadline for when internal and external stakeholders will be made aware of the event
  • What information you will share with the different parties
  • Incorporating language that empowers users to take security into their own hands

As we highlighted in our prior dissection of the Reddit data breach, you can return power to users who are in a situation where they feel like victims by laying out the steps they can take to protect their personal information.

->Reddit Data Breach notice to users regarding 2FA and other security measures<-

Image Source: Reddit

While it might make you uneasy to be so upfront about your vulnerabilities, if you communicate the issue correctly, you can turn the risk into an asset by retaining and even bolstering user trust.

3. IMPLEMENT A STRONGER USER MANAGEMENT SYSTEM.

One of the biggest barriers to transparency in corporate cybersecurity is that, even for IT staff, it can be difficult to understand who is working within their system. With a range of permissions granted to customers, employees, and third parties, such as consultants — it's easy to lose track of your users.

Implementing a system like Auth0 can help you keep all of your users at a given time in one central view.

->Auth0 Dashboard view<-

Here, admins can monitor login activity, compare it with activity over time, and quickly note and take action on any unusual behaviors like multiple failed login attempts. Having a clear record improves your ability to demonstrate your practices both internally and externally.

More Transparency Leads to Better Security

When talking about cybersecurity, it’s usually new technologies that get the majority of the spotlight. Yet simple fixes, like increasing your level of transparency, is are also fundamental to progress. If implemented correctly, transparency practices can lead to improved security and, as an added bonus, increased trust with your stakeholders.

Working with Auth0 is one way that teams choose to boost their knowledge and ability to share information about cybersecurity. Auth0 is a trusted partner with thousands of enterprise customers across industries, giving teams and their end users added peace of mind in turbulent times.

About Auth0

Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.