When notorious companies announce a security breach, headlines, tweets and posts dominate the media. In 2015, successful cyber-attacks tripled to 160 per week, much higher than the 2010 average of 50 per week, according to the 2015 Ponemon Cost of Cyber Crime Report.
But are these the real numbers? An investigation conducted by Reuters revealed that not all companies notify the government and investors when they experience a security breach.
In 2011, the U.S. Securities and Exchange Commission (SEC) released new guidelines that clearly define the circumstances that determine when companies need to report a security breach. The new guidelines notified investors of a company’s current security plans and revealed the scale of cyber-attacks in the U.S.
In spite of the SEC guidelines, Reuters found that half a dozen major U.S. companies who experienced a security breach did not admit that the incidents took place.
After reviewing 2,000 filings in 2012, Reuters found that while companies did confess to dealing with a security breach.
A majority of the companies used nonchalant language and glazed over the attack.
The SEC guidelines are extremely detailed and cover every aspect of a security breach. Unless a company is trying to avoid reporting an attack, the course of action to take after experiencing any hint of an intrusion can be found in the SEC guidelines.
A dent in credibility and a decline in sales is one of the major reasons companies evade publicly announcing a security breach.
The public announcement of a security breach shows that consumer’s bank accounts and other valuable information aren’t safe, and negligence is a public message that many companies don’t want to convey.
According to a 2014 Ponemon Institute Report, 27 percent of surveyed companies didn’t have a data breach response plan ready to counter a cyber-attack, and this lack of preparation doesn’t sit well with customers.
A report conducted by Centrify, an enterprise identity security company, shows that 75% of consumers in the UK will discontinue business with a company that has been hacked.
Besides gaining a bad reputation, others suspect that companies don’t publicly announce security breaches because they don’t want to invest in higher security tactics.
Companies with some of the most publicized security breaches walked away from the incident with only a minor dent in their pocket.
In the 2014 Target security breach, a CBS article reports that after insurance and tax deductions, Target spent $105 million to repair all damages, which sums up to be 0.1 percent of Target’s 2014 revenue. Home Depot’s 2014 cyber-attack, which resulted in hackers gaining 56 million credit and debit card numbers and 53 million email addresses, cost the household name company less than 0.01 percent of their 2014 annual income.
Companies compare the amounts spent on hiring a new cybersecurity staff and investing in the newest software, to the amount spent cleaning up a cyber-attack, and the competing amounts highly influence corporation’s decisions.
Some corporations are willing to risk credibility and a couple of dollars to save a large sum that would be used to heighten their cybersecurity. With insurance and tax deductions, some companies would rather pay for the cleanup instead of investing in preventative strategies.
Companies are attacked every day, and some companies are oblivious about the attacks while other companies are well aware. To protect yourself in the case that a company you do business with has a security breach and has chosen not notify you, sign up with a credit monitoring company to notify you of suspicious activity as soon as it occurs.
Even though some companies won’t invest in cybersecurity defense strategies, consumers can take every precaution to creating their own.