Breach and Tell: The Current State of Breach Disclosures
Should enterprises report a breach or play it down and stay quiet about it?
Organizational breach disclosures have become a widely discussed topic of discourse within the cybersecurity industry due to increased data compromises in recent years. Alan Radford of One Identity questions the best way forward regarding breach communications – whether to report it or not.
A data breach occurs when the data that a business is responsible for suffers a security incident resulting in a breach of confidentiality. However, while a breach may be easily identified in the event of a ransomware attack, there remains a great deal of uncertainty over what constitutes a breach and in which instance it should be reported to the relevant supervisory authority for further investigation.
Compliance and Regulations
In the event of a data breach, there are certain compliance standards and legal regulations organizations must follow. Since the enforcement of the general data protection regulation (GDPR), all organizations are required by law to report certain types of personal data breach incidents to the information commissioner’s office (ICO) within 72 hours of becoming aware of the breach. Whereas organizations that are operators of essential services (OES) and relevant digital service providers (RDSPs) are expected to report under the network & information systems (NIS2) directive, as per this example they provide on the ICO website:
“An OES is subject to a cyber-attack that causes a substantial impact on the provision of its service. It reports this incident to its competent authority within 72 hours of becoming aware of it.
The OES then establishes that the incident also resulted in its customer database being unlawfully accessed by the attacker. This means that a personal data breach has also taken place, and the OES must notify the ICO of this in accordance with the UK GDPR’s requirements on breach reporting.”
However, in any instance, organizations are advised first to assess how the breach happened, what level of risk the breach poses to data subjects and how sensitive the incident is to determine whether it’s appropriate to report. Consequently, this has led to confusion on whether a breach should be reported both internally, externally or not at all.
See More: The Unholy Trinity of API Attacks: Tackling Evolving Cyberthreats
The Keep Quiet Approach
While an increasing number of regulations have made the reporting of data breaches mandatory, some security professionals in leadership roles choose to remain silent when faced with a breach. In fact, a recent study found that of 400 IT professionals, from IT junior managers to CISOs, over two-fifths have been told to keep a security breach under wraps, potentially inflaming regulatory compliance risk. Yet, it’s not surprising that the natural reaction for most C-level executives is to keep quiet during a potential breach as the consequences of disclosing an incident have the power to jeopardize an organization’s entire reputation.
This could result in irreparable damage, such as the derailing of mergers and acquisitions or significant disruption to the business. Another key consideration in this is now the cyber insurance question. With cyber premiums rising, organizations may choose not to report a breach to ensure the premiums they have negotiated do not change.
Failure to report a breach under these compliance regulations opens the door to heavy fines and penalties followed by an investigation by the ICO and even worse reputational and operational risks. Regardless of these regulatory mandates, organizations of all kinds need to recognize that the days when they were able to hush up a data breach quietly are behind them. Under proposed incoming SEC rules, cybersecurity activity would need to be disclosed to investors, in the words of SEC chair Gary Gensler, to “strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting”. In other words, a security incident would need to be disclosed, or it will undermine investor confidence.
While there is a moral obligation to report a breach, there are fewer and fewer places to hide. The longer it takes to report the breach, the more the organization’s integrity comes into question, affecting investors and customers alike.
To Report or Not to Report?
Many cybersecurity specialists would argue that reporting a confirmed data system compromise internally is a no-brainer, perhaps also triggering and reinforcing the need for data security training for staff. Yet, reporting a breach externally presents a myriad of consequences for the business. Once a breach becomes public knowledge, media attention imminently follows which would then require a media-trained professional to effectively deliver the organization’s official response to execute successful damage control and an effective recovery plan. This emphasizes the need to enforce controlled reporting channels for the information of the potential breach to be sent to as an effective formal reporting process.
Reporting a breach, whether it is done internally or externally, will help organizations learn from the incident and take the appropriate measures to improve their cybersecurity posture. Many industry verticals have peer-sharing networks in order to compare notes on cybersecurity initiatives, which help in maintaining an awareness of attack vectors in progress and sharing initiatives that are proving to be successful. Ultimately this level of openness between peer groups will help to prevent future security incidents from turning into major security breaches.
However, the ideal approach is to stop a breach before it starts: to do this, organizations need to think about adopting an identity-centric approach to security by bringing together solutions such as identity governance and administration (IGA), privileged access management (PAM) and access management (AM), which will reduce the technical and administrative burden on teams, increase the visibility of gaps in security posture, be more agile and proactive to indicators of compromise and significantly reduce the risk of a breach.
Do you think enterprises should report and publicize breaches or keep quiet? Share with us on Facebook, Twitter, and LinkedIn. We’d love to know!
Image Source: Shutterstock
MORE ON BREACHES
