mailing list archives
'Cyber-shame' means never having to say you were hacked
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 19 Mar 2014 19:12:49 -0600
Imagine your company gets hacked: who do you tell? The police? Trading
standards? Your customers?
Now, think like a chief executive - your key concern is how it affects your
company's profits (and that could include damage to its reputation). So you
tell your board of directors, but not the cops. Why? Because the police's
forensic investigation may actually end up disrupting the business and
costing you money. And you can't be sure they'll even get your stolen stuff
You're supposed to tell the Information Commissioner's Office if you lose
people's personal data - but how can you tell? After all, your IT security
person tells you several gigabytes of data went missing, but can't confirm
whether it was customers' details. So no, no call to the ICO.
And, since you can't tell whether individuals' data went missing, there's
no way you'd consider telling your customers.
All of this adds to a condition I've come to call "cyber-shame". If a bank
gets held up at gunpoint, its bosses generally feel safe in the knowledge
that the public will blame the crooks rather than the bank. If a company
gets hacked, there's a deep-rooted fear that people will blame the company,
somehow forgetting the criminals who are actually responsible.
The net result is a culture of secrecy around corporate hacking, and this
is why thousands of companies in the UK can get hit every year, losing
millions of pounds and we never find out about it. It also explains why,
despite three years of trying, I've never managed to get a corporate
hacking victim to talk on-record to Channel 4 News. But that situation
could soon come to an end.
New European rules will oblige companies to inform their customers as soon
as reasonably possible if a data breach has occurred. And the ICO can levy
fines that are a proportion of a company's revenue (as opposed to the
current set amount) - ouch.
If you want an idea of how this new system will change things, look at the
US, which already operates a similar system: when companies are hit they
must write to customers and tell them. The firms try to make the letters as
vague as possible, but the recipients have started sending them to security
researcher Brian Krebs, who hassles the companies concerned until they come
clean about what's actually happened. His tactics are a large factor in how
we found out so much about the Target cyber-attack.
The Krebs storm is now coming to Europe. It's going to be a shock.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus
on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
- 'Cyber-shame' means never having to say you were hacked Audrey McNeil (Mar 25)