Few CIOs will discuss their secur\u00adity incidents in public \u2014 with good reason\u00a0\u2014 but there are many compelling reasons for more openness.\nYou cannot ignore the risk of cyber-attack. No vulnerability will be left unturned by cybercriminals, bedroom hackers, pressure groups or anonymous citizens looking to disrupt an organisation\u2019s business.\nAttacks of all kinds are increasing in \u00adintensity and more firms are having to admit to being victims of them. This means that any company currently embarrassed by an attack or incident should take some solace from the fact that they are not alone.\nRecent months have seen attacks on high-profile organisations including Amazon, MasterCard,Visa, Twitter and NASDAQ:\u00ad all big names with significant server and security systems behind them.\nEqually significant is the fact that the firms were apparently ready and willing to discuss what was happening, and what they were doing about it.\nThe most recent and perhaps most not\u00adorious attacks came as part of the fallout from the WikiLeaks scandal when each side of the privacy debate began a war of attrition that sought to prevent the other from having their place on the internet.\nFirms including Amazon and Visa ref\u00adused to support the WikiLeaks cause by hosting its documents or accepting donations for it respectively, and became enemies of a loose collective of hacktivists that lurk under the name \u2018Anonymous\u2019. Anonymous, which had already showed its muscle in opposition to the Digital Economy Act, acted swiftly and effectively.\n\nMoving targetsPerhaps because Anonymous was so open about what it was doing\u00a0\u2014 it tweeted progress reports as it moved from target to target\u00a0\u2014 so too were the firms it went after.\nAmazon was bullish in its reaction to being taken offline. \u201cThe brief interruption to our European retail sites last night was due to hardware failure in our European datacentre network and not the result of a DDoS attempt,\u201d the firm said at the time, suggesting that the attack had had no impact on its systems.\nThe same could not be said for others. \u201cMasterCard SecureCode is currently down. This means that all MasterCard and Maestro transactions cannot be processed via 3-D Secure,\u201d reported MasterCard in a brief to its clients.\nAlso vocal was Visa, which admitted that its corporate website was \u201ccurrently experiencing heavier than normal traffic\u201d.\u201cVisa\u2019s processing network, which handles cardholder transactions, is functioning normally and cardholders can continue to use their cards as they routinely would. Account data is not at risk,\u201d read the site.\nThe same could not be said for Visa now. Ask the firm to discuss the denial-of-service attacks, its reactions and any lessons learned, and you will receive a polite \u2018No\u2019.\nVisais not alone in this, and the CIO who is happy to go on record discussing non-theoretical organisational security provisions and capabilities may spend the rest of his days fire-fighting ever-increasingly inventive system assaults.\nGraham Cluley, security expert at So\u00adphos, said that the way in which firms react to attacks varies widely, and often depends on whether the attacks were successful or not. However, he added that there could be merits to going public and questioned whether it was the IT team or public relations that dictated responses.\n\u201cFirms are often forced to go public about successful attacks. Regulations may demand that they inform customers and law enforcement agencies that personal information has been stolen by hackers, or if a public-facing website has been defaced there\u2019s no way that it can be swept under the carpet as it\u2019s out in the open,\u201d he says.\nHowever, Cluley added that it is most likely to be the corporate communications teams that dictates how a company reacts.\n\u201cFirms are often advised by their corporate communications departments to stick to approved statements, and that there will be no business benefit in providing any information beyond the minimum required,\u201d he explains. \u201cIndeed, they may worry that revealing too much information about what mistakes were made may shake the confidence of customers, who may choose to do business elsewhere.\u201d\nHowever, Cluley adds that the growth of social networking is changing the way firms interact with customers and clients, and was making businesses more open.\n\u201cThis attitude is changing a little with the rise in social media, and companies are seeing the benefit in being more human and honest,\u201d he says. \u201cThis means putting your hands up to your ability to make mistakes and get things wrong.\u201d\nSharing experiencesA little knowledge sharing is not without its benefits either, and Cluley adds that CIOs often discuss issues between themselves. The wider public, he says, are more likely to be notified of a successful \u00adreaction to an attack, rather than how it happened. The reasons for this are obvious: organisations do not want to reveal their security details to those that might seek to exploit them.\n\u201cFirms are typically more comfortable with talking about how well they have done at protecting themselves against \u00adattacks, rather than how they have had problems,\u201d he explained. \u201cHowever, even then there may be staff in IT departments who would rather that the details of their security remained shrouded in mystery.\u201d\nDaniel Mitchell, founder and director of Lifeline IT, is hosting this year\u2019s CyberCrime Security Forum in London \u2014 the first of its kind in the UK\u00a0\u2014 on May 12-13.\n\u201cOrganisations are very, very guarded,\u201d he explains, \u201cand it is only recently that they have really started to talk to each other.\u201d Mitchell says that by discussing the risks, firms would be able to improve the way in which they react to them and be more confident that any response they make will be the best one possible.\n\u201cEvents like this get the idea of strategy into the mind of CIOs. They can share their experiences and discuss their messaging. Better communications will help to protect industry against cybercrime. It is the preparation that needs sorting out. CIOs must be able to prove that they have observed best practice. Then you can say that you have done the best that you can.\u201d\nThe event will focus on defence strategies, and John Craddock, panel member and speaker, sees it as a welcome opportunity to share key information with the people that really need it: the enterprises.\n\u201cWe are going to open a lot of eyes,\u201d he says. \u201cThere is a lack of knowledge, a lack of interest, in security and we are going to give CIOs a way forward.\u201d\nCraddock, External Infrastructure and Security Architect at Microsoft, added that one reason why firms may not want to discuss their security problems in too much detail is because although they have just discovered them, they are often not new.\nIn fact, he explained, it was not uncommon for a newly detected active vulnerability to have been in existence for two years or more before its \u2018fix\u2019 is reported to users. This sort of admission, he suggests, could be very embarrassing.\n\u201cIf you have been attacked and found failing, you aren\u2019t going to be looked upon \u00adfavourably. But if you had it right, you should be able to deal with it.\u201d\n\u2018Dealing with it\u2019 means improving secur\u00adity procedures and readying responses to attacks, a belt-and-braces approach that should appeal to the most cautious firms.\nCraddock recommends that all potential areas of weakness be considered by firms, from the information kept in the hard disks of office printers right up to the monitoring systems used.\n\u201cEveryone will get attacked. But if you have your posture right you should be able to deal with it,\u201d he says.\nThe best policyLimiting the brand damage associated with being hacked does not just mean remaining mute on the subject, as the news will likely out itself anyway. It means being able to admit that yes, you were the victim of an attempted attack, but no, it was not serious and nothing was compromised.\nIt may be the public relations teams that currently dictate how an enterprise reacts publicly to attack, but it could become the responsibility of the CIO who, armed with the confidence and the knowledge that they have done all that they can, can admit to facing down an online dragon and\u00a0\u2014 if not slaying it\u00a0\u2014 then at least sending it back to where it came from.\nWhether CIOs turn to social networks to admit such breaches or not, it is likely that such admissions will become the norm as users ask more questions about problems with their services and incidents become more obvious. After all, there is no better response to a problem than an answer that admits it, describes what happened, and then tells you how it was solved.\nThe CyberCrime Security Forum and CIO UK\nThe CyberCrime Security Forum will be the first of its kind for the UK\u2019s public and private sectors. It is being launched in response to growing threats to UK business, following the government\u2019s recent ranking of cybercrime as a major danger to national security. CIO UK readers can register and receive a 10 per cent discount. Register before April 21st and enter the promotional code CIO March.