By Mark Hatton on April 9th, 2013
One of the more interesting cyber security phenomenons I’ve witnessed recently is not only the willingness of CEOs to admit that their company has suffered a breach, but the enthusiasm in which they have shown in making the admission.
In what seems like only a short-time ago, company management, often on the advice of legal counsel, had no appetite to discuss issues of cyber security. This was especially the case when it had been compromised. Yet here we are today and the leaders of some of the world’s best-known brands are “raising their hands” and talking openly about the subject. So what changed?
I believe the change in attitude is the result of external pressure from two separate, and potentially competing, sources. First, the Securities and Exchange Commission (SEC) has been encouraging greater transparency from public companies to disclose breaches, even if they don’t involve a material incident. By law, companies must disclose breaches that affect shareholder value. According to the National Conference of State Legislatures (NCSL), 46 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving customers’ personal information.
The threat of potential non-compliance with government standards has been a driving force in changing corporate policies on not only what should be disclosed in terms of a breach, but also when and how it should be disclosed. While negative public perception has always been a primary reason to remain quiet, when balanced against the threat of state and federal action, it becomes the lesser of two evils in the eyes of most board members and executives.
The second factor I see influencing the decision to “go public” as the victim of a breach is that trendsetting entities such as Apple, Google and Facebook have made it ok to do so. Once these companies, viewed as the leaders in Internet technology, came out and essentially said, “We’ve been hacked, this is how they did it, and this is what they were after,” it has in many ways become almost the fashionable thing to do, or at least less embarrassing.
I believe another motivating factor on this front has been the desire to draw attention to just how difficult it is to be secure. By making this an issue that all companies are dealing with, rather than a series of isolated, individual incidents, it limits the backlash and damage to brand reputation. As they say, there is strength in numbers.
However, I would like to offer some words of caution. Yes, it is an unreasonable expectation that any company with an Internet connection will not at some point in time suffer an attack. But, companies should be very careful about using the “It’s happening to everyone, there is nothing I can do” defense. This too is a cop-out in my opinion, and we are already seeing courts and industry overseers hold companies to a higher standard in that every reasonable step must have been to identify and mitigate the threat.
One of the major reasons the SEC and other government agencies have been applying pressure for disclosure and transparency is to help organizations work together to more quickly identify and control threats. When companies continue to work in silos, the same threat can make its way from organization to organization, sometimes undetected, for long periods of time. When threats are disclosed, the security industry has proven time and time again, to have the ability to shut them down quickly and control the damage.
The University of Santa Clara recently posted a debate on the business ethics section of their website that I would encourage everyone to read as it offers unique perspectives from both the public and corporate sides of this argument. The setup is below and the full post can be found here:
Cyber attacks on American companies have become increasingly more common, but not all companies respond to security breaches the same way. Companies such as Facebook, Twitter and Apple, have voluntarily gone public with their security troubles. Alternatively, a number of companies have continued to deny cyber attacks, despite reports stating otherwise; including, Exxon Mobil, Coca-Cola, Baker Hughes, and others. The U.S. government has encouraged transparency on cyber attacks as part of a wider effort to protect American intellectual property. Advocates of disclosing breaches claim it will set a precedent for other companies to get more active in fighting cyber attacks. The majority of company lawyers advise not to disclose, pointing to potential shareholder lawsuits, embarrassment and fear of inciting future attacks. Health and insurance companies must disclose breaches of patient information, and publicly traded companies must when an incident effects earnings. What policy should companies adopt when dealing with a cyber security breach?
Lots of great questions, unfortunately, there are no easy answers. I do however, find it extremely encouraging that we are having this debate and the issue is out in the open. This public discussion can only help lead us towards more effective security practices and processes.
Related Reading: National Data Breach Notice - Ever or Never?