We’ve all heard that the more you give, the more you receive. That’s just as true in cyber security.
Think about a city in which a burglar breaks into a house. What happens if the homeowner decides not to notify the police? First, they will likely not retrieve their stolen property; but second, the burglar will likely break into another home and do the same thing.
If you were the second homeowner, wouldn’t you be upset to learn that your break-in could have been prevented had the first homeowner alerted his neighbors and the police? You might have been more cautious. If you knew that the burglar’s MO was to break in through the garage during the day, you might have double-checked your locks or been sure to set your alarm system. Or maybe the police would have had extra patrols in the neighborhood.
Now let’s look at what could happen if a company is hit with a cyber attack. Currently, some regulations require reporting only if personal data has been compromised. Even then, the reports are to people whose information was accessed, NOT law enforcement.
It’s good that people whose data is breached are notified, and maybe they have identity monitoring for the next several months or years. But this is often not public information. And, if it is, the details of the breach are not well-known.
Currently, the SEC is evaluating a requirement for publicly traded companies to have to report significant cyber security incidents within four days of detection.
Other cyber security professionals will find the information invaluable. When CISA or MS-ISAC sends out notifications of recently discovered vulnerabilities and the fixes, it is because the information has been reported. The IT or security team can then implement the fix in order to protect their organization.
However, some companies are reluctant to report cyber breaches. They may fear regulatory fines, loss of business due to loss of faith, or they may fear losing market share to their competitors.
A recent study by Bitdefender found that in the US, over 70% of IT/cyber security staff were told NOT to report such findings or breaches! This clearly indicates that executive leadership and boards do not adequately understand the significance of these things and that if all companies reported, they would all be safer.
The upcoming SEC changes, in addition to reporting within four days, include a requirement for making investors aware of whether the board members of these companies are properly handling cyber security within the companies’ risk strategy.
As cyber attacks have become commonplace and the impacts more significant, it has become a part of doing business to deal with such threats. Therefore, the board must include it in its planning and oversight.
The more these things are hidden, the more the perception is that cyber security is not that important.
If you move to a new neighborhood and are told that the crime rate is extremely low, you feel safe. You are less likely to use deadbolt locks, alarm systems, cameras, etc. However, if you know the true rate of crime, you will use all these security tools or possibly move to another neighborhood.
No one is immune from cyber attacks. Therefore, if we all are part of the solution, maybe we can make a difference in minimizing cyber threats. A rising tide really does raise all ships.