Cracking the code of silence New European rules aim to make companies more transparent about data breaches, but some experts warn that they may have the opposite effect Written by The Economist Intelligence Unit P ick a large company at random and there is a high chance that it will have been the victim of a malicious security attack In the UK, over three-quarters (78%) of large organisations admitted that they had been attacked by an unauthorised outsider in the previous 12 months, according to a 2013 report1 by the UK government’s Department for Business, Innovation and Skills Yet the number of companies that have spoken publicly about data breaches remains vanishingly small Clearly, companies are reluctant to reveal security incidents, even though they are such a common occurrence The recent compromise of security at the major US retailer Target is a case in point Details of the breach, in which tens of millions of customers’ credit-card details were compromised, were first revealed by the security expert and blogger Brian Krebs, not the company itself For many companies the risks of disclosure outweigh the benefits “This is being driven by potential adverse publicity and the fear of loss of confidence in the company,” says Paul Simmonds, a former information security chief at the pharmaceutical firm AstraZeneca and the current chief executive at the Global Identity Foundation “There is little perceived benefit in disclosing, especially if it’s not mandatory, against lots of risk.” SPONSORED BY: Boards of directors, charged with maintaining the share price of publicly listed companies, are especially unlikely to sanction any more disclosure than is strictly necessary, lest the news trigger a share price crash That is not to say that companies keep security incidents entirely secret Security and IT chiefs generally recognise the long-term benefits of greater transparency They realise that if legitimate businesses are to combat the criminals who are trying to steal their data, they must share information just as effectively Most of this information sharing goes on behind closed doors, through specialist professional forums Last year, the UK government launched the Cyber-Security Information Sharing Partnership (CISP), which provides member companies with a “virtual environment” through which they can share information about current and emerging security threats CISP has been well received by UK businesses, says Stewart Room, a security specialist and partner at the law firm Field Fisher Waterhouse “Businesses have really embraced the idea of sharing information on threats, risks and breaches,” he says Still, their willingness to share mostly falls short of public disclosure, meaning that customers—who may be at risk following a data breach— are left in the dark Soon, though, European companies may be forced to disclose data breaches in public, if proposed revisions to the EU’s data protection rules are ratified Mandatory disclosure New laws proposed back in 2012, and still being debated in halls of Brussels, include a data breach notification law that would oblige all companies above a certain size to disclose details of any breach affecting customer data, within 24 hours of discovering it Backers believe this new rule will protect the right of citizens to know what happens to information about them and will alert other businesses to common threats However, the European Commission has also proposed considerable fines for companies that fail to protect their customers’ data adequately Critics fear that the threat of a fine will in fact discourage companies from disclosing data breaches Mr Room argues that businesses may see the new legislation more as a trap than as a mechanism to encourage appropriate behaviour “They believe in sharing information and disclosing incidents in the right way, with the right people,” Mr Room says “But when it is a pathway to sanctions, it does not appeal.” In particular, many organisations believe that they should escape sanction if they own up to a data breach, no matter how serious, as long as they have behaved responsibly This is not to say negligent companies should go unpunished, Mr Room adds The 24-hour rule may also prove counterproductive, according to Andrew Kellett, the principle security analyst for the IT advisory firm Ovum If senior management learn of a breach more than 24 hours after it was first detected, for example, they may choose to keep quiet rather than face a fine Meanwhile, Mr Kellett says, the average time it takes organisations to detect breaches is getting longer Research by the security company Trustwave found that the average time to detection in 2012 was 210 days, up from 175 in 2011 “It still takes an organisation too long to identify breaches,” says Mr Kellett “We’re not getting any better at detection Indeed, we’re getting worse.” Few would question the benefits of sharing information about security incidents, but the manner in which that information should be shared is still subject to debate The European Commission hopes that it can propagate a new culture of transparency with its proposed legislative reforms, but some experts believe they could simply reinforce the code of silence http://www.pwc.co.uk/assets/pdf/cyber-security-2013-technical-report.pdf ... that it can propagate a new culture of transparency with its proposed legislative reforms, but some experts believe they could simply reinforce the code of silence http://www.pwc.co.uk/assets/pdf/cyber-security-2013-technical-report.pdf... worse.” Few would question the benefits of sharing information about security incidents, but the manner in which that information should be shared is still subject to debate The European Commission... security analyst for the IT advisory firm Ovum If senior management learn of a breach more than 24 hours after it was first detected, for example, they may choose to keep quiet rather than face a