[BreachExchange] Don’t let embarrassment about a data breach cost you even more

[Audrey McNeil]

http://www.computerworld.com/article/3051145/security/don-t-let-embarrassment-about-a-data-breach-cost-you-even-more.html

Nobody likes to be embarrassed. That goes for company executives. This fact
of human nature helps explain why the breach-disclosure laws that have been
adopted by many states can be leveraged by data thieves for even more
profit than they could realize before.

Companies have always been reluctant to admit to data breaches. A lot of
that reluctance can be attributed to simple embarrassment: We’ve been
telling our customers that our security would keep their sensitive data
safe, even when we knew that no security system is perfect.

This is true even for companies that you wouldn’t think were capable of
being embarrassed. After all, companies whose business has been
facilitating extramarital affairs and offering porn on demand have been
breached. They undoubtedly would have welcomed the resulting publicity,
except that the circumstances made it clear to their customers that their
names were in danger of being made public.

That reluctance to go public has led many jurisdictions to require
companies to report data breaches. One problem with such laws is that they
do not overcome the embarrassment that goes with public acknowledgment of a
security failing. And so companies split hairs and come up with ways to
rationalize not reporting breaches..

That, in turn, is giving the bad guys a new opening.

When a company’s executives decide to hide a breach, their action can morph
from unsavory to illegal. But that decision can leave them vulnerable to
the attackers behind the breach in the first place, who know that the
company has not done what the law requires and can now threaten it with
disclosure.

That is also a two-stage threat. An attacker breaking into your network and
then bragging ab out it is embarrassing. But if the attacker breaks in and
waits to see if you report it—and if you run out the clock and opt to not
report it, the attacker’s disclosure could expose you and your colleagues
to civil penalties. In short, it makes a bad situation far worse.

Who in the world would take such a risk? Quite a few people. When your job
is to prevent break-ins and one happens anyway, it’s pretty easy to
rationalize a cover-up.

The risks that such decisions give rise to were made dramatically clear on
Thursday (March 31) when Reuters noted a new global crime trend of
cyberthieves partnering with traditional organized crime syndicates to
attack banks across the world. If the banks are hesitant to reveal that
they were successfully attacked. Without disclosure, law enforcement is not
informed.

, it’s a win-win-win for the bad guys: They get to keep the money and sell
the data, and they don’t have to worry about evading law enforcement. And
if they’re especially greedy, they can also extort more money from the bank
in exchange for a promise to keep quiet. Put another way, the bank can get
victimized in four ways via one breach. Even worse, unlike the typical
cyberthief, these gangsters don’t mind getting physical in their threats.
Cyberthieves are bad, but they rarely get into the kneecap-smashing end of
things. With this arrangement, they now have partners who will.

“Hundreds of millions of dollars, and perhaps much more, have been stolen
from banks and financial services companies in recent years because of this
alliance of traditional and digital criminals, with many victims not
reporting the thefts for fear of reputational damage,” the Reuters story
said. “Typically, security and cyber-crime experts say, hackers break into
the computer systems of financial institutions and make, or incite others
to make, fraudulent transactions to pliant accounts. Organised crime then
uses techniques developed over decades to launder the money, giving the
alliance much higher rewards than a hold-up or bank vault robbery, with
much less risk.”

But let’s ponder a bit more about why companies would allow themselves to
be placed in such a situation. One factor is that, even in the U.S. states
that mandate disclosure, the laws offer a healthy amount of wiggle room.
First, companies can be exempted from the requirement if law enforcement is
willing to sign off on the need for secrecy during a post-breach probe. All
too often, law enforcement is happy to do that. Moreover, the laws often
are applicable only if the breach is a direct threat to consumer privacy.
That becomes a judgment call — one that is made by people who have a very
strong incentive to conclude that the breach is not a direct threat to
privacy.

Because the decision to report a breach is not black and white, it’s easy
to see why companies can end up saying, “All right, let’s not embarrass
ourselves needlessly.” Think about it. Most Fortune 100 companies see a
huge number of penetration attempts every day, and some of those attempts
will get further than others. At what point do they cross the line into a
breach? Lacking evidence that any data was accessed, most companies are
going to decide that no breach that has to be reported occurred. But does
lack of evidence of success equal evidence of an attack’s failure? Of
course not.

Consider a company that’s been subjected to a distributed denial-of-service
attack. Theoretically, a DDoS attack does not translate into data being
stolen, so it’s easy for the fear of embarrassment to lead to a (highly
justified) decision not to disclose. Besides, the parties rationalize,
there’s probably not a lot that law enforcement can do that our own people
can’t, so let’s just hire a confidential forensic security team and call it
a day.

Ah, but what if the DDoS attack is only a diversion so that your security
people will be intently focused on fighting to keep the site up, leaving no
one to notice that files are being accessed at the same time? By the time
the DDoS is halted, all logs and evidence of the real attack will have been
deleted or altered. No beach detected, no breach reported. End of story?
Yes — until the attackers contact the company with a blackmail demand.

My point is that data breaches and breach-disclosure laws are realities
that affect each other and that companies need to think about carefully.
They must work out precise and explicit guidelines long before they are in
the thick of a real incident. To decide things on the fly, based on the
particulars of each situation, is a recipe for inconsistency. You are
letting the people who are in charge of preventing attacks decide when they
have to tell the world about an attack — and the potential for
embarrassment will influence their decisions, because they will be sure
that the world is going to decide that they failed to do their job.

Look, keeping quiet out of a sense of shame can cost you a lot more than
you realize — and everything will probably be disclosed in the end anyway.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160405/6a0202fd/attachment.html>