Has your business been the victim of a cyber attack in the last year? Its okay if it has, actually there’s a lot of benefit to publicly disclosing that the incident happened. The benefits are communal in nature and come back to you in the form of an overall more secure business community. For a real life comparison, business security hygiene is similar to vaccinations, where the application of preemptive protection protects the whole community from being impacted by a virus. In cyber security, the disclosure of a data breach helps to inform the whole community about a vulnerability that may have been missed and can help other businesses protect themselves so it does not become an industry wide issue. The issue on non-reporting has become very important to many governments, even Europe’s coming GDPR policy makes it explicitly clear that reporting does need to happen very quickly after a breach is discovered.
Impacts of Non Reporting
There’s a market failure that is well known among business people and economists called information asymmetry. The issue occurs when one party in a transaction has more relevant information than another party. Normally people think about general sales transactions or equity purchases. However, this concept can apply to cyber security in a very important way. When your business has become the victim of a data breach and you know about it, whenever you interact with a customer or business partner you know their information may be compromised. With this knowledge, you know they may face financial collapse in the near future as a result of the breach, they don’t though. This may affect who you continue to do business with, the theft of their information may affect all other transactions they have in a negative way. By withholding a data breach, customers and partners are put at severe risk of having everything falling apart from not knowing that someone may be using their information in a variety of ways.
This information asymmetry takes on a different life in the community of cyber security experts. It’s with cyber security experts and companies that the latest patches, processes, and recommendations come from to protect the entire economy and government institutions. During the WannaCry outbreak, there were many companies and governments impacted. This number could’ve been much higher if Microsoft didn’t notify organizations that there was a ransomware out capable of seizing Windows XP machines. While many report on who was affected, there were many that the ransomware didn’t affect due to cyber security experts sounding the alarm and action being taken to patch vulnerabilities.
Without disclosure from companies when they have had a breach, cyber security experts are unable to effectively do their jobs to protect the business community and governments. The information asymmetry preventing cyber security experts from doing their job allow for hackers to develop attacks faster than cyber security experts can keep up with them. Transparency and good communications prevent the outpacing of criminals over the experts who are trying to help us all.
This is not just a concern of cyber security experts. Many public institutions have cited the threat to public safety that non-disclosure has on people. Even Delaware just passed a law which includes a requirement for data breach notification, it is being hailed as a potential model state legislation which could become a standard across the United States.
The stakes have increased recently when the SEC launched a probe in whether Yahoo should be held criminally responsible for failing to disclose a data breach when it happened. The data breaches that Yahoo failed to disclose also impacted its final sale to Verizon and cause the final purchase price be $350 million less than what they were expecting. The legal battles and financial impacts could’ve been avoided if Yahoo disclosed their breaches as soon as they were aware.
Technology Aided Reporting
Data breach reporting doesn’t have to be a struggle or sign of poor management. With technology solutions such as Teramind, companies are able to not just report a data breach but identify exactly what happened with advanced forensics. In addition to the forensics the use of security software also demonstrates that the company had taken serious steps to mitigate and prevent damage as much as possible.
Non-disclosure has a negative impact on the business community and for cyber security experts. If you’re having issue reporting data breaches or would like to prevent them, then reach out to Teramind and we can help fit you with the right solution for our organization.