Enterprise security breaches and the associated press coverage seem to have become somewhat passé as the populace grows accustomed to the news. The shock and awe factor no longer applies, it seems. Perhaps people have come to expect that hackers really are working 24/7to steal their identity, their credit, their money, their reputation? (Likely so.) Perhaps the number of breaches really is leveling off? (Nope). Perhaps press coverage is higher than it used to be, and folks have grown tired of repetitive news. (Maybe.)
One trend that seems to continue unabated: the time between the breach discovery and the public announcement is weeks or multiple months. The veil of secrecy keeps the company’s reputation in tact for a period of time, but inevitably the truth will out. Yes, there are solid reasons for wanting to keep a breach undercover if the diagnosis continues and the backtracking to the source remains underway. Scare off the perpetrator and they go underground before the full extent of the breach is known and their identity can be compromised. But how long is long enough?
As pointed out by my former colleague Ed Macnair, now CEO of CensorNet, in this recent article on the Cathay Pacific breach, millions of customers are affected, and the serious nature of the passport/credit card information involved in this breach speaks volumes when one considers if immediate action should be taken by the consumer.
In the coverage on the recent British Airways breach a similar trend is noted: months go by between initial discovery and public announcements. That delay is complicated by significant oscillations in the numbers of consumers affected as the investigation takes new turns, with the current estimates at over 400k accounts affected.
Of course, there is an overriding wonderment to contend with: the hunt for evidence that the breaches have truly resulted in exploits. So many of the credit card breaches and identity breaches involve huge numbers of consumers, but even if your information is involved, how and when might you actually see evidence that the stolen information in question was used in a nefarious manner? Conversely, you may get hacked via another route and never be able to conclusively determine that there was a connection.
In any event, the trend toward consumers being kept in the dark for months on end while internal investigations continue – that does not lend itself to consumer trust of the enterprise in today’s climate of CEO and corporate board distrust. “What’s being hidden from me and why was I not told sooner? What ineptitude is the company potentially trying to conceal in the process?” Often law enforcement is brought in early in the process, as are various security firms well-versed in dealing with breaches of this nature. Often the breach and third-party involvement are announced, but specifics are left unmentioned until details have been fully determined. That third-party involvement often shows that the firm in question has taken steps to sanity-check their internal processes and resources in a belt-and-suspenders manner. Erring on the side of early disclosure to the patrons affected may not always be the elected option, but consumers likely would appreciate knowing “something.”