Details of the breach, in which tens of millions of customers’ credit-card details were compromised, were first revealed by the security expert and blogger Brian Krebs, not the company i
Trang 1Pick a large company at random and there is a high chance that it
will have been the victim of a malicious security attack In the UK,
over three-quarters (78%) of large organisations admitted that
they had been attacked by an unauthorised outsider in the previous
12 months, according to a 2013 report1 by the UK government’s
Department for Business, Innovation and Skills Yet the number of
companies that have spoken publicly about data breaches remains
vanishingly small
Clearly, companies are reluctant to reveal security incidents, even
though they are such a common occurrence The recent compromise of
security at the major US retailer Target is a case in point Details of the
breach, in which tens of millions of customers’ credit-card details were
compromised, were first revealed by the security expert and blogger
Brian Krebs, not the company itself
For many companies the risks of disclosure outweigh the benefits “This
is being driven by potential adverse publicity and the fear of loss of
confidence in the company,” says Paul Simmonds, a former information
security chief at the pharmaceutical firm AstraZeneca and the current
chief executive at the Global Identity Foundation “There is little
perceived benefit in disclosing, especially if it’s not mandatory, against
lots of risk.”
Boards of directors, charged with maintaining the share price of publicly listed companies, are especially unlikely to sanction any more disclosure than is strictly necessary, lest the news trigger a share price crash That is not to say that companies keep security incidents entirely secret Security and IT chiefs generally recognise the long-term benefits of greater transparency They realise that if legitimate businesses are
to combat the criminals who are trying to steal their data, they must share information just as effectively
Most of this information sharing goes on behind closed doors, through specialist professional forums Last year, the UK government launched the Cyber-Security Information Sharing Partnership (CISP), which provides member companies with a “virtual environment” through which they can share information about current and emerging security threats
CISP has been well received by UK businesses, says Stewart Room, a security specialist and partner at the law firm Field Fisher Waterhouse
“Businesses have really embraced the idea of sharing information on threats, risks and breaches,” he says
Still, their willingness to share mostly falls short of public disclosure, meaning that customers—who may be at risk following a data breach— are left in the dark Soon, though, European companies may be forced
to disclose data breaches in public, if proposed revisions to the EU’s data protection rules are ratified
Mandatory disclosure
New laws proposed back in 2012, and still being debated in halls of Brussels, include a data breach notification law that would oblige all companies above a certain size to disclose details of any breach affecting customer data, within 24 hours of discovering it
Backers believe this new rule will protect the right of citizens to know what happens to information about them and will alert other businesses
to common threats
However, the European Commission has also proposed considerable fines for companies that fail to protect their customers’ data adequately Critics fear that the threat of a fine will in fact discourage companies from disclosing data breaches
Mr Room argues that businesses may see the new legislation more as a trap than as a mechanism to encourage appropriate behaviour “They believe in sharing information and disclosing incidents in the right
cracking the code of silence
new european rules aim to make companies more transparent about data breaches,
but some experts warn that they may have the opposite effect
Written by The Economist Intelligence Unit
S P O N S O R E D B Y :
Trang 2way, with the right people,” Mr Room says “But when it is a pathway to sanctions, it does not appeal.”
In particular, many organisations believe that they should escape sanction if they own up to a data breach, no matter how serious, as long as they have behaved responsibly This is not to say negligent companies should go unpunished, Mr Room adds
The 24-hour rule may also prove counterproductive, according to Andrew Kellett, the principle security analyst for the IT advisory firm Ovum If senior management learn of a breach more than 24 hours after
it was first detected, for example, they may choose to keep quiet rather than face a fine
Meanwhile, Mr Kellett says, the average time it takes organisations to detect breaches is getting longer Research by the security company Trustwave found that the average time to detection in 2012 was 210 days, up from 175 in 2011
“It still takes an organisation too long to identify breaches,” says
Mr Kellett “We’re not getting any better at detection Indeed, we’re getting worse.”
Few would question the benefits of sharing information about security incidents, but the manner in which that information should be shared
is still subject to debate The European Commission hopes that it can propagate a new culture of transparency with its proposed legislative reforms, but some experts believe they could simply reinforce the code
of silence
1 http://www.pwc.co.uk/assets/pdf/cyber-security-2013-technical-report.pdf