Would you publicly report a security breach?
Recent research by AlienVault revealed that only 2% of surveyed EU companies would be willing to go public should they suffer a security breach. 38% opted to inform the relevant authorities and 31% said they would tell their employees. A mere 11% said they would share the information with the security community.
Organizations who suffer a security breach face a Catch 22, said Barmak Meftah, President and CEO of AlienVault. “On the one hand, publicising a breach would help other businesses avoid falling prey to attacks. On the other, damage to your brand and reputation could be significant.”
He says this is even more pertinent when considering the European Commission’s proposed overhaul of its data protection laws, that will see companies face fines of up to 2% of their global annual turnover should they suffer a breach. “This would see the fallout from a breach being potentially disastrous not only for a company’s good name, but also for their bottom line.”
Another troubling find from the survey was that 5%, when asked ‘what is the first thing you do when a new malware hits’, said they do nothing at all. Fortunately, Meftah said the vast majority of respondents (52%) said they would research the impact, 31% said they look for a patch and 1% said they wait to see the full impact.
When it came to sharing intelligence with competitors following a hack, the survey revealed that an encouraging 50% said they would share — 35% said they would be willing to reveal it anonymously, and 15% they would be happy to be named.
“Sharing information about the source and nature of attacks allows the security community to act fast, and quickly isolate malicious or compromised hosts,” said Meftah. “In addition, it helps identify attack methods, tools and patterns, all of which help fuel research on new defense technologies.”
“The growing complexity and sophistication of threats make it difficult for security professionals to have a clear view of possible vulnerabilities, threats, and attacks that are out there.”
Sharing information can give the security industry a better understanding of these threats, and help them learn about and develop more secure products and services, as well as improve their defenses.
According to Meftah, this is clearly illustrated by the responses to another of the survey questions: ‘How do you learn about security you need’. Informal communication channels such as blogs (14%), underground forums 6% and through peers at 13% were almost equal to more formal channels. “News web sites numbered only 13%, through partners / resellers 10%, and via education / training, 14%. Those who said through advertising and marketing numbered only 6%, the same number as those who learned through their superiors. Responders who cited using their own research following a problem came in at 16%.”