Why the Double Standard of Reporting Breaches?

Most people like to point out when things in life are not fair, often asking, “Why do I have to do it if they don’t?” Cybersecurity professionals likely ask that question when it comes to reporting breaches.

According to a new survey, “Cybersecurity’s Double Standard,” conducted by Thycotic at this year’s RSA Conference, people are practicing double standards when it comes to reporting incidents. The survey reveals the contradictory expectations around incident response from more than 250 cybersecurity professionals.

DevOps Connect:DevSecOps @ RSAC 2022

What Thycotic found was that 84 percent of respondents wanted to be notified immediately if a company they worked with had experienced a breach. Yet, only 37 percent of these same cybersecurity professionals would notify customers right away if their own organization was breached.

The message is clear: If a company they do business with has experienced a data breach, they want to be notified as soon as possible. However, security pros appear not as inclined to reciprocate when an incident occurs in their organization.

Nearly 1 in 6 respondents admitted they had experienced a data breach and kept it a secret from the public or unsuspecting victims. Some reported that they wouldn’t say they had been breached because of pressure from executives or board members. “One reason cited for being less than forthcoming with responses about breaches concerned non-disclosure agreements (NDAs),” according to the report.

According to the survey, though, nearly 50 percent of respondents said they are not fully prepared to handle incidents and breaches. Only one-fifth said they have a prepared contact list and communications to manage an incident. Even fewer (12 percent) have conducted red team training with executives, and only 1 in 10 has a public relations team and legal advisors ready to manage and respond to incidents.

Why the Double Standard?

While victims impacted by a breach expect to be notified immediately, there are challenges that delay disclosure. One hurdle is that many organizations don’t have an incident response plan. The survey noted that leading industry analysts say upwards of 80 percent of security breaches involve privileged credentials, yet only 7 percent of survey respondents know where all their privileged accounts are located.

“It’s imperative that organizations understand the threats and prepare and incident response plan,” the survey said. Doing so will get them over that first hurdle. Even though organizations do recognize that they need an incident response plan, they have only just started down the path. “Procedure is not solid and fully implemented, so they struggle when an incident happens.”

As organizations respond to incidents, a lot of things influence their ability to legally disclose. Most have disclosure agreements with suppliers, which means their incident response plan actually limits their ability to announce a breach in a timely manner, said Joseph Carson, chief security scientist at Thycotic. Some investigations can take 14-28 days to finish before a company can disclose.

Certainly, brand protection is one reason why some companies try to withhold information of a breach, but often it is not within their legal means to publicly share information within a certain time frame.

There are two parts to disclosure. Sharing information about an incident is one of the benefits to responsible disclosure, as it helps other organizations learn, but disclosing has to be done in a responsible manner and it has to be done legally. “Organizations may have some law enforcement limitations,” Carson said.

The Value of Sharing

While withholding information may protect a company’s brand and reputation, it restricts the benefits of sharing key data and lessons learned from cyberattacks. This is a major reason why many governments are pushing for a general Data Breach Notification Requirement to ensure companies respond quickly and responsibly to data breaches and not hide them for months or even years.

Part of what disclosure intends to do is make other organizations aware of the things that were done correctly. “What worked well? It’s important to share successes as well because while there was a breach, it may have only been partly successful breach, and that is helpful information to share,” Carson said.

Still, the lack of breach notification highlights the challenges of incident response, which suggests that organizations need to invest more so that they can respond to events in a timely manner that benefits their company, other companies and victims.

Kacy Zurkus

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus