If you have knowledge, let others light their candles in it.


Imagine you have the details of every cyber security incident that’s ever happened. 

How the attackers first gained entry and moved around the network.

What they were trying to achieve, and how the attacks finally ended.

The details of all the cyber security actions taken to counter the attacks, including those that worked (and those that didn’t).

We think that would be pretty useful for you and your organisation. You could learn about real attacks, what helps to stop them (and what doesn’t). You could take that information and use it to make improvements to your own cyber security.

However, this can only happen if people are willing to share information about how cyber attacks have impacted their own organisations. 


Sharing information for everyone’s benefit

Previously, my colleagues from NCSC Incident Management and the ICO have shared the importance of transparency during incidents, and the benefits for everyone, including the victims. 

But once the dust has settled and the pressure of handling an incident has subsided, it’s important to review what happened, learn lessons and make the necessary changes. Sharing what you learned from the incident can help others learn too. This is one of the reasons we invited Sir Roly Keating, CEO of The British Library, to speak at CYBERUK 2024 and share lessons from the cyber attack that impacted his organisation in October 2023.

In the past, most organisations would keep this kind of information private. For example, the 2020 Cyentia Institute report on ‘The 100 largest cyber loss events of the last five years’ was almost entirely reliant on information gleaned from sources other than the victims. 

However, there have been some encouraging examples of organisations sharing ‘lessons learned’ from cyber security incidents, and it’s often the public sector leading the way, such as this report into the Conti ransomware attack on Health Service Executive of Ireland.

Governments and regulators are encouraging organisations to be more open about cyber security incidents. Rather than being forced to share information (either by regulatory requirements or weight of public opinion) why not get ahead of the game? Why not share voluntarily, in your own time and in your own way?

It’s important to note that sometimes sharing this information can be uncomfortable. If you are committed to learning from incidents, not everything is going to be positive. But in sharing what you’ve learned, you will be playing your part in building a learning environment across the cyber security ecosystem. One where we all accept that everyone can make mistakes, and that we can all improve if we learn lessons built on openness and honesty.

We recognise the importance of sharing responsibly, without giving any further information to potential attackers. Sharing information about weaknesses you find can provide information about vulnerabilities that still exist.

We encourage organisations to share information publicly wherever possible, if this is not possible, there is still benefit in sharing in trusted channels. These include NCSC’s CISP platform or other trusted groups. We also encourage organisations to break out of the usual sharing within sectors, as lessons learned are often much more widely applicable than for a single sector. 

Cyber attacks that don’t succeed - perhaps because of cyber security defences or even just luck - can also provide valuable insights. These ‘near misses’ provide an opportunity for learning about the threat you and others are facing and the effectiveness of cyber defences. Organisations can use near misses to develop realistic scenarios for threat modelling and to improve their response to future incidents, rather than allocating blame. Lessons learned and shared from near misses can be just as valuable as those from real incidents. 

Sharing the lessons learned from cyber security incidents and near misses with the wider community is an important part of our collective resilience, so I hope you and your organisation can play an active part. We encourage you to share incident and near miss lessons learned in the following ways:

  • publicly, if it is responsible to do so
  • on the NCSC’s CISP platform
  • in trusted cyber security groups, ideally across sectors

Ralph B
Chief Technology Officer, Economy & Society, NCSC

 

* The quotation “If you have knowledge, let others light their candles in it” is attributed to Margaret Fuller Ossoli, an American journalist, editor, critic, translator, and women's rights advocate.


 

Comments