Half of Firms Fail to Fully Disclose Breaches — Report
It’s not just Uber: an astonishing half of IT security decision makers polled by CyberArk claimed their organization didn’t ‘fully’ inform customers when their personal details had been breached.
The security firm interviewed 1300 cybersecurity leaders to compile its latest study, The Business View of Security: Examining the Alignment Gap and Dangerous Disconnects.
A spokesperson confirmed to Infosecurity that no further details were available from the research on exactly what ‘fully’ means in this context.
However, the 50% figure is a stark reminder that many organizations are playing with fire in light of the forthcoming EU General Data Protection Regulation (GDPR), which will mandate 72-hour breach notifications.
The past 12 months have seen a slew of delayed and nebulous breach reports from big name firms that should know better, including Yahoo, Equifax and Uber.
In a now-infamous case, the ride-hailing company chose not to inform customers at all of a breach last year, instead electing to pay off the hackers to delete the data in a bid to hush up the incident.
UK banking regulator the Financial Conduct Authority (FCA) this week announced new rules forcing lenders to be more transparent about security incidents, after last week claiming there’s “currently a material under reporting of successful cyber-attacks in the financial sector.”
David Higgins, director of customer development EMEA at CyberArk, said it’s not uncommon for organizations to want to hide the extent of damage caused by cyber-attacks.
“This sort of behavior will have massive consequences in the coming year with enforcement of GDPR fines for lack of compliance,” he added. “What’s also surprising about this survey is the persistence of rampant poor security practices and lack of consistency across line of business and IT security leaders — despite strong awareness of risks and continued headline-generating cyber-attacks.”
These poor security practices included a third of respondents claiming they don’t have adequate understanding of security policies.
A similar number (31%) claimed they don’t use a privileged account security solution to store and manage privileged and/or administrative passwords.
Source: Information Security Magazine