The stats on how many security breaches are occurring within companies make for bleak reading, with 93% of large organisations and 76% of small businesses reporting security breaches in the last year.1 There were many high profile security breaches in 2012 such as LinkedIn and South Carolina Department of Revenue. Countless more companies have experienced serious breaches but have avoided hitting the headlines.
Proposed EU data protection reform, which could legislate that organisations report all data breaches, large and small, within 24 hours, brings up the debate on whether organisations should be required to disclose breaches. Additionally, TechWeek Europe has reported that a proposed directive from the European Commission could force business and government bodies to report any significant cyber-attacks in future.
Is obligatory disclosure for the greater good, or too potentially damaging for organisations?
From a business' perspective, keeping breaches under wraps can avert massive public relations disasters. Public security incidents can have disastrous consequences due to reputational damage, loss of customers and plummeting share prices.
But the breached organisation is not the bad guy in this tale, right? If a bank branch is held up at gun point, no blame is assigned to the bank manager; why when it comes to cyber, does being the victim of a crime cast you as the villain? If a bank manager does not have the correct security in place to prevent a robbery, how does the scenario change??
Putting aside, for the moment, the practical problems of data breach disclosure within 24 hours; the fact that organisations may be forced to disclose breaches and cyber-attacks could be a real game-changer.
Coming from Dell SecureWorks, a company that is 100% focused on security, my natural inclination is to support any initiative that is likely to make security more of a priority within companies of other industries. However, we are also fully committed to helping customers enjoy as painless an experience of security as possible.
Whilst the economic outlook is improving, life is no walk in the park for many organisations, particularly small and medium businesses who feel the effects of the economic downturn most acutely. More and more SMB organisations are being targeted by cyber criminals. With typically weaker security postures and less in-house security expertise SMBs are seen as low-hanging fruit for criminals, and can have links into larger organisations which can be exploited. Obligatory breach disclosure could place a severe burden on these organisations. They would struggle to devote the necessary resources to information security and to getting enough visibility into their networks that a breach would be immediately noticeable.
However, with the increasingly hostile threat landscape, ensuring that companies are protected from attacks is of utmost importance. Compulsory breach disclosure would ensure that information security is a priority for companies at board level due to the increased risk of reputational damage and fines due to non-compliance. This could improve the standards of security across enterprises and decrease the number of preventable breaches that are happening from well-known threats.
On balance, I would argue that putting pressure on organisations to disclose breaches can only improve the overall security posture of companies and better protect customers' data and the organisation's business-critical data. However, companies will need to be supported and offered guidance so that they feel as little pain as possible. It is in an organisation's best interest to have a strong security posture and not succumb to avoidable breaches; however, if a company has taken reasonable steps to protect data then they should not be made out to be the villain in the event of a successful attack.
1 PwC 2012, 'Information Security Breaches Survey' (United Kingdom)