Despite the many regulations from GDPR to CCPA, HIPAA, and PCI DSS that mandate a company report a data breach, many corporate hacks go unreported. Certainly, compliance is a driving force for the organizations that do report a data breach. Still, in 2019, CSO Online reported that the FBI’s Internet Crime Complaint Center received reports of approximately 350,000 cybercrimes, which represented only 15% of actual victims. There are many reasons why companies fail to involve law enforcement when they’ve been compromised.
Need for Discretion
The Securities and Exchange Commission updated its cybersecurity guidance in 2018, which resulted in elevated tension for companies which had suffered a breach. Because of the delicate need for discretion, companies found themselves caught between a cactus and a prickly thing when determining whether or when to report an incident to stakeholders. The late Craig Newman wrote in the New York Times, “this tension between the need for discreet cooperation with law enforcement and the obligation to inform investors and the markets creates a dilemma for public companies.”
Obstacles of Confusion
Not every company withholds information from some stakeholders because they are being methodical. In fact, some companies don’t know that they’ve been the victim of an attack while others don’t understand how to report a cybercrime. Confusion over what activities should be reported and how to report them is indeed a global issue. Europol’s 2020 Internet Organized Threat Assessment noted, “Challenges with reporting torment ability to create an accurate overview of crime prevalence across the European Union.” Add to that, the organizations that have detected an incident but don’t know that it’s considered serious enough to report, and the result is a win for attackers.
Can’t Report What You Can’t See
Though multiple reports reveal the top threats facing today’s organizations and some news outlets even list the major data breaches of 2020, these publications don’t paint the full picture of the number of companies that currently have active malware in their networks. They can’t report a breach because they have yet to detect the adversary lurking on their systems. Prevailion’s Cyber Adversary Intelligence analyzed the Fortune 500 sectors and found evidence of active malware in 22% of organizations during the 2nd and 3rd quarters of 2020.
Of those, the highest percentage of compromises were found in the software and technology sectors with the average lifecycle of a breach spanning 246 days resulting in an average cost of $5,040,000. The problem, aside from the obvious, is that these are not publicly disclosed security incidents. This is undetected active malware.
Though some companies may falsely believe that having no security incident to report is a badge of honor, the opposite is often true. According to a piece from ComputerWeekly, when a company has no breaches reported, that often raises a red flag for compliance auditors: “It means one of two things – they are perfect (unlikely), or their employees are nervous about reporting a breach, don’t know how to recognize one, or aren’t aware of the process to report one. All of which are issues that need addressing urgently.”
Why Disclosure Matters
At a very basic level, knowledge is power. Having knowledge of a breach empowers the organization to act responsibly and quickly so as to avoid future disaster. The SEC said, “Crucial to a public company’s ability to make any required disclosure of cybersecurity risks and incidents in the appropriate time frame are disclosure controls and procedures that provide an appropriate method of discerning the impact that such matters may have on the company and its business, financial condition, and results of operations, as well as a protocol to determine the potential materiality of such risks and incidents.”
Beyond the risk to the impacted organization, there is a duty in today’s interconnected world to have full visibility into your environment for the extended security of a company’s supply chain, partners and vendors. Take Yahoo! for example. In the midst of its acquisition by Verizon Communications in 2017, the search engine suffered a loss of $350 million after, “Yahoo had the misfortune to have disclosed three massive data breaches.” Though costly, Yahoo! had a fiduciary duty to disclose those breaches.
We can turn to the Verizon Data Breach Investigations Report to understand more about why disclosure matters. The report itself is the result of data compiled from publicly disclosed security incidents. “The year-to-year data will have new incident and breach sources as we continue to strive to locate and engage with additional organizations that are willing to share information to improve the diversity and coverage of real-world events.”
Threat intelligence and intelligence sharing are critical to real-time threat detection. In 2021, failure to report a compromise is no longer a decision that a company can make to protect its reputation and brand, and ignorance is no longer an option.
Read some thoughts from our CTO, Nate Warfield, who discusses the escalating attacks on critical infrastructure with other cybersecurity experts in this Industrial Week roundtable.
by Will Gragido, Chief Strategy Officer – Prevailion, Inc. Intelligence analysis is dependent upon many things not the least of which are collections and access to data (e.g., pcaps, logs etc.) sourced from within the network. Prevailion affords its customers the ability to view intelligence related to real state of compromise outside the network’s perimeter. […]