Why Most Security Breaches Go Unreported
Updated: Dec 1, 2019
Over the past several years we have been shocked by news stories of some huge data breaches to include Yahoo, Experian, Target, Anthem, LinkedIn, eBay, Marriott, OPM and several others. Have you ever wondered what these specific breaches have in common? They all involved the compromise of personal data records, which legally required the breached entity to notify the public, especially those individuals who may have had their own personal data exposed.
Most entities would prefer not to report the breach due to reputation risk as well as potential litigation. As consumers, we would unlikely entrust our personal information (usernames, passwords, dates of birth, address, social security numbers, etc.) with an entity which has demonstrated that it was unable to safeguard our information from someone who would steal it for it nefarious intent.
An organization’s legal obligation to report a specific breach will depend upon the legal requirements placed upon them by the respected states in which affected consumers reside. That said, many of these reported breaches become public many months after the breach has been detected by the organization. The reason is that an organization can delay reporting it, if and when, law enforcement is conducting an investigation into the breach in an attempt to identify and locate those responsible.
What is of more concern is that these “reported” breaches are only the tip of the iceberg when it comes to the sheer quantity of actual data breaches that occur and are never publicly disclosed. These breaches occur within all sectors including retail stores, wholesalers, manufacturers, hotels, restaurants, financial institutions, health care providers, academic institutions, law firms as well as city, state and federal government entities.
While networking with contacts within the local business community, I frequently learn in confidence about how their organizations recently suffered from horrific security breaches. The most common type of breach surfacing in these discussions is a ransomware attack. In such cases, the attacker gains access to the target’s computer system and installs malicious code, which encrypts network data. In exchange for providing the encryption code, the hacker demands a ransom to be paid, usually in the form of a digital currency. The victim’s data is in fact “held hostage” until payment is made.
At this point, the victim will typically conduct an analysis to decide whether or not to pay the ransom or to refuse and report the incident. Prior to attacking the firm, hackers will conduct their own assessment regarding how much a target would likely pay to quickly free their information from captivity. While law enforcement officials will typically recommend that a ransom not be paid, the actual reality is that most ransoms are paid. For the victim, refusing to pay the ransom will result in a significant amount of time when they are unable to conduct normal business operations ultimately costing more in loss revenues as well as increased expenses in trying to rebuild their IT systems. Intelligent hackers utilizing ransomware will typically calculate the threshold up to which a company will pay, and then ask for an amount somewhere below this threshold.
As a result, the company usually quickly pays the ransom and attempts to minimize any disclosure within their organization that such an incident even took place. Only then, will decision makers begin to change their mindset from “it will never happen to me” to “it happened and it could happen again."
Some of the recommendations I provide to our clients is to improve both their offensive and defensive postures. Offensively, entities need to adopt security awareness training, which will serve to defeat most breach attempts. On a defensive side, in the event that a ransomware breach is successful, they need to have established a back-up system for their information. This back-up should be isolated, appropriately firewalled and updated on a daily basis.
Unfortunately, most organizations wait until they have suffered a significant breach before establishing the appropriate safeguards. Until organizations become more proactive regarding the protection of their information, the hackers will continue to be the winners.