Which situation do you think is worse: Your company getting a public relations and/or consumer confidence hit because you revealed that your network was breached or not disclosing the breach at all?
Based on a recent ThreatTrack report, a lot of employers out there think the PR situation must be the worst scenario. The survey, conducted by Opinion Matters, includes feedback from 200 security professionals dealing with malware analysis within U.S. enterprises. It found that nearly 6 in 10 malware analysts have investigated or addressed a data breach that was never disclosed by their company.
In addition to not being totally open with their customers, the ThreatTrack report shows that the data breach problem is a lot worse than any of us thought. According to Verizon’s 2013 Data Breach Investigations Report, there were 621 confirmed data breaches last year. But if nearly 60 percent of malware analysts say the breaches they investigated internally were never reported, it is a good bet that 621 breaches is a low number. A very low number.
It also seems like the larger the company, the less apt the company is to report a data breach. As eSecurity Planet pointed out, “at companies with more than 500 employees, 66 percent of respondents said they had handled undisclosed data breaches.”
ThreatTrack CEO Julian Waits, Sr. said in a statement:
While it is discouraging that so many malware analysts are aware of data breaches that enterprises have not disclosed, it is no surprise that the breaches are occurring. Every day, malware becomes more sophisticated, and U.S. enterprises are constantly targeted for cyber espionage campaigns from overseas competitors and foreign governments. This study reveals that malware analysts are acutely aware of the threats they face.
However, companies of all sizes aren’t doing themselves or anyone else any favors by not reporting when breaches do happen or not revealing how a malware attack affects business networks and operations. Security is a cooperative venture. The best way to combat attacks is to share information. When company A discovers a new strain of malware and shares information about it, company B’s security software is upgraded to catch it. Not revealing the breaches and malware attacks not only hurts IT security efforts, it is also dishonest to everyone the company serves.