Not Disclosing Data Breaches Remains a Destructive, Dirty Little Secret in Most Organizations
November 15, 2013 Leave a comment
- An alarming number of data breaches go unreported, despite regulations that require breach notification.
- Senior leadership misuse of corporate computing assets often leads to malware infection.
Is the stigma of having a data breach going away with the constant stream of headlines we see about the latest sensational data theft? You wouldn’t know it judging by the latest report from ThreatTrack Security on a study looking into cybersecurity challenges for IT security professionals. In the survey of 200 security professionals, whose identities were kept anonymous, ThreatTrack found that about two-thirds of U.S. enterprises that employ at least 500 people do not report data breaches. The study found that the worst offenders when it comes to hiding data breaches are in the utilities and manufacturing sectors, with nearly 80% of those organizations keeping data breaches secret. At the same time, in IT and telecom verticals, breaches go unreported 57% of the time.
Beyond the social stigma, the financial hit that organizations risk certainly motivates them to keep quiet about such breaches, despite the disservice that does to customers. Collectively, however, all that hiding of breaches prevents us from knowing the full extent of the problem and its impact on our way of doing business. I think if we really understood it, we would do a lot more to protect our sensitive data. That begs the question: Is the need to understand the whole problem urgent enough to put stronger laws and enforcement in place to mandate breach disclosures?
The other really disturbing finding from the ThreatTrack study is the extent to which executive misbehavior contributes to malware infection on their corporate-owned laptops. The security professionals reported that in 40% of the cases, the PCs or mobile devices of senior leadership were infected by malware as a result of surfing to a malware-infected porn site. C’mon, guys! Really? You’ve got sensitive company data on a device that you use to peruse a class of websites that are notoriously laden with malware? In 45% of the cases, malware infections were the result of the exec allowing a family member to use a company computer. What ever happened to leading by example?
I think we need to put real teeth into data breach notification laws, including stiff fines for not reporting breaches, and company policies should apply to all employees, including the boss.