Digital Transactions Authoritative, insightful and timely information for payments professionals
The actual number of data breaches taking place in the United States may be much higher than generally understood, if a recent survey of corporate security professionals is any indication. The canvass of some 200 so-called malware analysts working for large and small enterprises revealed that fully 57% have dealt with a breach that their companies never reported to customers or other parties.
The incidence of such non-disclosure rises with the size of the company. Among security officers with organizations of more than 500 employees, those reporting that they have investigated a breach that was never disclosed comes to 66% of respondents, according to the survey, which was released by ThreatTrack Security Inc., a Clearwater, Fla.-based vendor of cybersecurity services. Among those with organizations with fewer than 50 employees, the incidence drops to 18%.
“All of this does point to the fact that the numbers that we see today, while large, are significantly underestimating the scope of the problem,” Julie Conroy, a senior analyst at Boston-based Aite Group LLC who follows security issues, tells Digital Transactions News via email. “The results actually don’t surprise me, what surprises me is that people admitted to the under-reporting as part of a survey.”
The news of non-disclosure comes despite the fact that 46 states have enacted legislation requiring some kind of data-breach notification. “Small businesses are prime targets for entities seeking to deploy malware, and many of them are simply not aware of the patchwork of state laws that require notification,” Conroy says. “I’m sure there’s also a segment that looks at the cost associated with disclosure and chooses to take their chances with the regulatory consequences.”
n
Indeed, fear of regulatory backlash could account for why organizations suppress breach disclosure. “Companies are often concerned about what fines they will face, in the event they disclose a breach,” says Dipto Chakravarty, executive vice president of engineering and products at ThreatTrack, in an email message. “These expenses can often be a deterrent to full disclosure.”
Non-disclosure has consequences beyond the risk to customers, who could become fraud victims. It also could keep the industry in the dark about new malware variants. “From a security-vendor perspective, the more malware samples that are reported to the community, the better we can protect against them in real time as they come in,” says Chakravarty.
n
Meanwhile, the companies’ own top brass may be responsible for many of the vulnerabilities, as the same security officers reported having to plug security holes unwittingly created by senior executives who fell for phishing pitches, let family members use their company-issued device, or visited pornography sites.
Data compromises plague all industries, but are especially troubling for the payments business because of the sensitivity of the records held by banks, processors, and merchants, including card numbers, expiration dates, Social Security numbers, and the like. Overall, there were 621 confirmed data breaches involving 44.8 million records in 2012, according to the “2013 Data Breach Investigations Report” from Verizon Communications Inc. The study found that the great majority of the breaches, some 92%, were carried out by outside intruders. Nearly two-thirds of breaches take “months” for affected organizations to discover, according to the study.
Utility and manufacturing companies are most likely to hide breaches, according to the ThreatTrack survey, with 79% of security officers from those industries reporting an undisclosed compromise. IT and telecom (57%) and health care (56%) also produced a large contingent of analysts reporting non-disclosure.
Conroy cautions, however, that at least some of the respondents in the ThreatTrack survey may not always be aware that their company is reporting breach incidents. “Particularly in large organizations, they would be somewhat disconnected from the reporting process, so I suspect that some portion of those people are unaware of their company’s disclosure practices,” she says. A ThreatTrack spokesperson says that while this is possible, the company assumes the respondents knew the incidents weren’t reported if they said they weren’t.
The analysts also reported incidents involving malware they had to remove from top executives’ computers. Malware is malicious software planted by criminals who use the code to detect and download sensitive data. Some 56% of the respondents said they had had to clean executives’ machines after the executives had clicked on a link in a phishing email. The next most serious infections were attributed to these causes: attached an infected device (47%); allowed a family member to use the device (45%); visited an infected porn site (40%); installed an infected app (33%).
The good news in the ThreatTrack survey is that 38% of the respondents reported that it has become easier for them to defend their network from hackers, compared with 27% who said it has become harder. Thirty-five percent reported no change in difficulty.
