Catching up on my reading I found this article from last week. So, apparently there is a habit amongst companies in the US to not disclose they’ve been compromised due to cyber attacks. Yeah, I said it. While this is not news I’m curious as why companies might think that it would be better to hide the dirty laundry? Eventually it will find the daylight anyway. So, coming clean would seem to make sense.
From Reuters:
“There have been lots of breaches in every industry that have never been publicized,” said Shawn Henry, the FBI’s former top cyber cop, who joined a new cyber security company, CrowdStrike, in April.
Henry said the FBI was working on 2,000 active cyber cases when he retired from the agency in March. “There’s only a handful of cases that anybody has ever heard about,” he said.
Why might this be? Simple. Companies often are of a collective mind that the breach has not material bearing on their business and often take the stance that their investors or stake holders need not know.
Of course we see the proverbial line up of security vendors that say, “we need to hold companies accountable”.
Which gets rather amusing when you consider that Enrique Salem the CEO of Symantec had this to say,
“Shareholders have a right to know if their investment is somewhat at a new risk, or if they’ve lost intellectual property,” Salem said.
Symantec itself did not disclose a 2006 breach until this year, when hackers revealed they had obtained the proprietary source code, or blueprints, to several key products including older versions of Norton antivirus software.
Um, oops.
Source: Article Link
(Image used under CC from SaltGeorge)