Execs Not Sharing Breach Info

Wednesday, March 19, 2014 @ 01:03 PM gHale

When it comes to reporting a cyber incident, a majority of organizations worldwide (57 percent) do not voluntarily report attacks not required by disclosure laws, a new report said.

Seventy-seven percent of the respondents said their companies suffered a cyber attack in the past two years, but 35 percent said they shared attack and threat information with other organizations in their industry, 32 percent said they do not share such intelligence, and 27 percent did not say one way or the other, according to the Arbor Networks and The Economist Intelligence Unit, which surveyed 360 C-level or board-level executives around the globe on their incident response posture.

Security Pros Fret Attacks, not NSA
Talk to Me: Elevating Security Awareness
Attacks a Top Risk after Target Hack
Awareness Awakening: Firms Assume Compromise

“Only a third of companies are willing to share information about incidents with other organizations … But these days, the only way to defend is sharing,” said Dan Holden, director of Arbor’s ASERT.

The U.S. is more active in intelligence-sharing than other nations, according to the report, with financial services, critical infrastructure and higher education as some of the most active in this practice.

Meanwhile, security incidents are becoming more common, frequent and sophisticated. While 77 percent said they suffered an incident in the past two years, not all were the result of an outside attack. An insider caused major system damage according to 30 percent of respondents, while 27 percent suffered exposure of sensitive data.

In terms of reacting to incidents, 60 percent of organizations now have an incident response team and plan in place to prepare for an attack, with that rate on the rise, the report said. Large companies (80 percent), and 70 percent of respondents overall, have third-party relationships in place with specialists. Those organizations hit with an attack in the past two years were more than twice as likely to have partnered with an incident response specialist firm.

C-level executives see a well-orchestrated response to a security incident as a potential reputation-booster, the report said. Two-thirds of the respondents said responding well to an incident can “enhance” the company’s public reputation.

The report also found few executives remain confident their organization can take on a security incident: Only 17 percent said they are fully prepared, and more than 40 percent said they would be better prepared if they had more knowledge about the threats out there. About half said they cannot predict how a breach would affect their business.

Click here to register to download the “Cyber incident response: Are business leaders ready?” report.

Leave a Reply

You must be logged in to post a comment.