Majority of cyber security pros reluctant to notify customers about breaches
6 June 2018
Only 37 percent of cyber security professionals are willing to notify their customers about cyber security breaches immediately after discovering a breach, even though a majority of them expect to be notified by their vendors right away once a breach is discovered.
Such double standards were exposed by a survey carried out by security firm Thycotic at the recently-held RSA Conference in San Francisco. The survey of more than 250 cyber security professionals revealed that 84 percent of them expect to be notified immediately by their partners/vendors once a breach is discovered.
On the contrary, they are not as honest when it comes to informing customers about data breaches immediately. While 37 percent of them would disclose breaches to customers immediately, 16 percent of them would keep a data breach a secret from the public or unsuspecting victims, which Thycotic said may have been a result of pressure from executives or board members since these incidents could have a major negative impact on the business.
“Organizations are typically required by regulations such as the GDPR and other requirements within their specific industry to publicly report any breaches. While withholding information may protect a company’s brand and reputation, it restricts the benefits of sharing key data and lessons learned from cyber-attacks.
“This is a major reason why many governments are pushing for a general Data Breach Notification Requirement to ensure companies respond quickly and responsibly to data breaches and not hide them for months or even years,” the firm said.
Poor incident response procedures?
According to Thycotic, a major reason why a majority of cyber security professionals are recuctant to disclose data breaches to customers or clients is a lack of preparation in setting policies and procedures for proper response. Nearly 50% of those surveyed said they were not fully prepared to handle incidents and breaches and have not tested incident response plans.
“Without roles assigned and rigorous processes in place for legal checks, law enforcement collaboration, and forensics involved in an incident response plan, it’s not surprising that organizations may be reluctant to immediately notify customers and partners when their own internal house is not in order,” the firm added.
The survey also revealed that only 20 percent of cyber security professionals have prepared a contact list and communications to manage an incident, only 12 percent have conducted “Red Team” training with their executives, only 10 percent have a public relations team prepped to manage incident communications, and 56 percent have an Incident Response plan in place and tested.
Shocking lack of visibility over privileged accounts
A tiny 7 percent of security professionals told Thycotic that they discover, manage and secure privileged access accounts, which also means that a vast majority of them do not have visibility over privileged accounts in their organisations and consequently cannot secure all of them.
At the same time, just 5 percent of them use a dedicated Privileged Access Management (PAM) system as recommended in SANS Critical Security Controls, 5 percent use a privileged vault to store passwords securely, and 15 percent log directly onto systems using privileged accounts, thereby increasing the risk of privilege abuse.
Earlier this year, Joseph Carson, chief security scientist at Thycotic told TEISS that it is in effect a ‘game over’ scenario for businesses as soon as privileged accounts get hacked. Privileged accounts are essentially root-based account, or ones that can set up more accounts and a breach there can lead to ‘catastrophic’ consequences for businesses because once access has been obtained, malicious actors can then go on to create and access accounts, create logs and steal information!
“Not protecting privilege accounts exposes organisations to compliance failure as well as data breaches. The difference is that when you compromise a non-privilege account, it allows the cyber criminal to use just one account- emails from one person and contacts of that one person. But with a privilege account, it is a major incident at that point. Organisations can be attacked thousands of times but breached probably just 100 times and it will be down to what kind of account got breached,” he said.