What’s the first company that comes to your mind when you think of a cyber attack mentioned in the media? As information security experts, our industry tends to hear about and become aware of cyber attacks more often than others, but despite how regularly we hear of these attacks being reported in the news, most IT professionals believe that the true number of cyber attacks are significantly underreported.
A survey found that 87% of IT professionals think that large financial hacks are happening more often than reported without security auditors’ knowledge. In addition, 51% of IT professionals believe that their corporate networks are being targeted continuously by hackers.
Cyber attacks are causing so much damage to American companies that they threaten U.S. competitiveness around the world. Despite those numbers, however, you will not find much evidence of that dramatic damage in reports filed with the Securities and Exchange Commission.
Why are cyber attacks underreported?
U.S. officials state that cyber attacks are happening, but companies are hesitant to reveal damages to their organization for fear of scaring off potential or existing customers, damaging stock value or facing legal liabilities. Some companies do not know that their networks are being compromised. Other companies are less likely to go public about data breaches because of the negative impacts on an organization’s reputation and share price. Even though withholding information is the trend, keeping security incidents a secret is not the right thing to do, particularly if customer data is involved.
Why should cyber attacks be disclosed?
Many believe that until we create an environment where companies can open up about cyber attacks on their networks without being attacked by the media and industry, companies will continue to withhold this information. Companies should be encouraged to share cyber security breaches in order to increase public awareness of the threats that exist to U.S. security. In addition, being honest when communicating a security breach with the affected parties will reassure customers that you are doing everything possible to fix the situation and rebuild a trust with them.
How can a cyber attack be reported?
In 2011, the SEC released tips for companies to better understand how and when to disclose cyber security attacks. Since then they have been encouraged to take additional steps. While the decision of how and when to approach regulators and authorities remains a bit of a judgment call, there are a few tips for approaching the situation:
1. Start the conversation early.
Consider your plan of action and how to communicate and deal with regulators before a breach even happens.
2. Dictate your story.
In the event that a breach does hit, notifying regulators at the earliest stage and being transparent allows regulators to investigate and understand.
3. Do not speculate facts.
While it is smart to notify regulators early, offering misleading information or jumping to conclusions on the facts. All information provided should be accurate and reliable.
4. Know that every breach is unique.
Every data breach has its own set of facts and circumstances, and should be handled accordingly. Use judgment when determining how and when regulatory or law enforcement intervention is necessary.
Cybersecurity experts would like to see more companies disclosing the facts and details behind cyber attacks on their organizations. When other companies are comfortable opening up about attacks, others can see how real the problem of data breaches is and learn strategies to overcome attacks. While short-term, disclosing data breaches may impact on a brand’s reputation, it will help the industry in the long run.