Why the Double Standard of Reporting Breaches?
Most people like to point out when things in life are not fair, often asking, “Why do I have to do it if they don’t?” Cybersecurity professionals likely ask that question when it comes to reporting breaches.
According to a new survey, “Cybersecurity’s Double Standard,” conducted by Thycotic at this year’s RSA Conference, people are practicing double standards when it comes to reporting incidents. The survey reveals the contradictory expectations around incident response from more than 250 cybersecurity professionals.
What Thycotic found was that 84 percent of respondents wanted to be notified immediately if a company they worked with had experienced a breach. Yet, only 37 percent of these same cybersecurity professionals would notify customers right away if their own organization was breached.
The message is clear: If a company they do business with has experienced a data breach, they want to be notified as soon as possible. However, security pros appear not as inclined to reciprocate when an incident occurs in their organization.
Nearly 1 in 6 respondents admitted they had experienced a data breach and kept it a secret from the public or unsuspecting victims. Some reported that they wouldn’t say they had been breached because of pressure from executives or board members. “One reason cited for being less than forthcoming with responses about breaches concerned non-disclosure agreements (NDAs),” according to the report.
According to the survey, though, nearly 50 percent of respondents said they are not fully prepared to handle incidents and breaches. Only one-fifth said they have a prepared contact list and communications to manage an incident. Even fewer (12 percent) have conducted red team training with executives, and only 1 in 10 has a public relations team and legal advisors ready to manage and respond to incidents.
Why the Double Standard?
While victims impacted by a breach expect to be notified immediately, there are challenges that delay disclosure. One hurdle is that many organizations don’t have an incident response plan. The survey noted that leading industry analysts say upwards of 80 percent of security breaches involve privileged credentials, yet only 7 percent of survey respondents know where all their privileged accounts are located.
“It’s imperative that organizations understand the threats and prepare and incident response plan,” the survey said. Doing so will get them over that first hurdle. Even though organizations do recognize that they need an incident response plan, they have only just started down the path. “Procedure is not solid and fully implemented, so they struggle when an incident happens.”
As organizations respond to incidents, a lot of things influence their ability to legally disclose. Most have disclosure agreements with suppliers, which means their incident response plan actually limits their ability to announce a breach in a timely manner, said Joseph Carson, chief security scientist at Thycotic. Some investigations can take 14-28 days to finish before a company can disclose.
Certainly, brand protection is one reason why some companies try to withhold information of a breach, but often it is not within their legal means to publicly share information within a certain time frame.
There are two parts to disclosure. Sharing information about an incident is one of the benefits to responsible disclosure, as it helps other organizations learn, but disclosing has to be done in a responsible manner and it has to be done legally. “Organizations may have some law enforcement limitations,” Carson said.
The Value of Sharing
While withholding information may protect a company’s brand and reputation, it restricts the benefits of sharing key data and lessons learned from cyberattacks. This is a major reason why many governments are pushing for a general Data Breach Notification Requirement to ensure companies respond quickly and responsibly to data breaches and not hide them for months or even years.
Part of what disclosure intends to do is make other organizations aware of the things that were done correctly. “What worked well? It’s important to share successes as well because while there was a breach, it may have only been partly successful breach, and that is helpful information to share,” Carson said.
Still, the lack of breach notification highlights the challenges of incident response, which suggests that organizations need to invest more so that they can respond to events in a timely manner that benefits their company, other companies and victims.