Attacks/Breaches
3/19/2014
01:06 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Many Businesses Fail To Disclose Data Breaches

Only about 35% of businesses worldwide say they share attack and threat information with others in their industry, even though 77% admit to suffering from a cyberattack.

There are likely many more breached retailers than Target, Neiman Marcus, Michaels, and Sally Beauty either unaware that they have been hit or not yet ready to go public. There also are many data breaches, even at retailers, that may never see the light of day: As a matter of fact, some 57% of organizations worldwide say they do not voluntarily report hacks that aren't bound by disclosure laws.

So says a new report published Tuesday by Arbor Networks and The Economist Intelligence Unit, which surveyed some 360 C-level or board-level business executives around the globe on their incident-response posture. Some 77% of the respondents say their firms had been hit with a cyberattack in the past two years, but only about 35% say they share attack and threat information with other organizations in their industry, 32% say they do not share such intelligence, and 27% did not say one way or the other.

"Only a third of companies are willing to share information about incidents with other organizations ... But these days, the only way to defend is sharing," says Dan Holden, director of Arbor's ASERT.

Threat and attack intelligence-sharing is widely considered crucial to fight the bad guys and to give organizations information to prepare or defend against attack campaigns.

Read the rest of this story on Dark Reading.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Stratustician
50%
50%
Stratustician,
User Rank: Apprentice
3/22/2014 | 12:03:57 PM
Re: No doubt.
The problem is that there is such a stigma attached with being breached (rightfully so), that unless they are mandated by the government or law enforcement, organizations have zero incentive to notify customers that there has been an incident. It's about balancing corporate image and brand and the safety of their customers.  Many organizations feel that it's better to keep these incidents under wraps unless they are forced to admit there was an incident for fear of brand damage and customer fallout.  On the other side, as a consumer, I have to accept that these things happen. Ofcourse no one wants to be involved in these incidents from a liability side, and I am reminded every time I have to change a password or a PIN due to an incident, but the reality is that I'm a lot less critical of a company if they proactively tell me they had an incident, as opposed to those who hide it.  These things sadly happen, and the reality is that these attacks are so sophisticated it's almost impossible to protect against (ofcourse there are exceptions to this, many breaches are caused by bad security practices too), but I think companies underestimate consumers if they think hiding an incident is a better choice than proactively telling their customers "sorry, we screwed up, but at least we're being honest".

Customers will forgive and forget if they feel they were respected.  
pfretty
50%
50%
pfretty,
User Rank: Apprentice
3/21/2014 | 11:47:55 AM
No doubt.
Cyber crime is increasing in volume -- up twenty percent in 2013 according to the HP Ponemon Cost of Cyber Crime Report (http://www.hpenterprisesecurity.com/ponemon-study-2013). At the same time the cost of attacks is up 30 percent as well. This should be a spotlight on the importance of having more intelligence based strategies in effect. 

Peter Fretty, j.mp/pfrettyhp
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-2356
Published: 2014-07-30
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.

Best of the Web
Dark Reading Radio