The possible consequences of cyberattacks in our digitalising era are getting bigger and bigger. ARTIS Zoo and Maastricht University recently publicised their experiences with cyberattacks to help other companies and bodies. Many businesses are, however, not open about their cybersecurity. Bernold Nieuwesteeg, director of the Centre for the Law and Economics of Cybersecurity (CECS) and Assistant Professor of Law and Economics at Erasmus School of Law, insists on an opinion piece in Het Financieele Dagblad (FD) on more transparency in cybersecurity by companies.
Together with the CLECS, Nieuwesteeg researched 300 year reports of publicly traded companies in the past four years. They looked at the extent of transparency in cybersecurity. “Our conclusion? Businesses often hold back information. Or they report a hotchpotch of measures with little useful information, even though everyone agrees that cyber risks should be Chefsache”, says Nieuwesteeg.
Underestimated problem
Critics that say that limited transparency is a limited problem are wrong, according to the Assistant Professor: “Some will say that it is a limited problem. ‘Organisations with bad cybersecurity will be hacked anyways, and people will avoid those companies’, is often the train of thought. Unfortunately, that is a mistake. Firstly, it can take a while before hackers punish suboptimal cybersecurity. Secondly, sometimes even well-secured companies get hacked.”
Cybersecurity and transparency are of great importance, stresses Nieuwesteeg: “Organisations should be more active in sharing their knowledge. Currently, there is no healthy exchange of information between businesses and external stakeholders. That is why companies get away with bad cybersecurity.” Not just stakeholders but also other companies and society benefit from a transparent flow of information in the fight against cybercrime.
Sharing best practices
Sometimes, some worry sharing cybersecurity information helps criminals, but according to Nieuwesteeg, there is no need to worry: “of course, you should not publicly share unresolved vulnerabilities in software, but you should share your best practices. If I explained that I bought a heavier bike chain resistant against portable circular saws, that would not make me vulnerable either.”
It is now vital that the government takes transparency on cybersecurity in her new cybersecurity strategy, pleas Nieuwesteeg: “The strategy decides the direction of the policy of the next years. Businesses are now victims of the lack of knowledge sharing about cybersecurity measures. They look at high costs for weak cybersecurity. Products and services are getting more expensive, and the competitiveness of the Netherlands is decreasing. So, Dutch cybersecurity strategy drafters, take the opportunity to change the strategy or arrange this with an appendix. Please get to work with the theme of external transparency.”
Click here for the entire opinion piece in the FD (in Dutch).
- Researcher
- Related content