U.S. companies still not being honest about cyber attacks

The Internet won't get any less dangerous until companies are forthright about disclosing cyber crime and cyber terrorism

Reuters reported yesterday that scores of U.S. companies who've been hit by cyber attacks keep it a secret, whether in the name of staving off a PR crisis or because they didn't think a particular attack was worth mentioning. The news isn't too big a surprise: Reuters pretty much reported the same phenomenon back in February. It's disappointing, though, because we'll never get around to fighting cyber crime and cyber terrorism in a meaningful way until we acknowledge the scope of the issue.

The problem is, companies are not legally required to report when they've been the victim of a cyber attack. Back in October, the SEC issued toothless guidelines that gently suggest companies maybe, perhaps let customers, partners, investors, and authorities know if they've been hit -- but only if they want to. No pressure.

It's abundantly clear, eight months after the SEC's guidelines came out, that most companies are still more comfortable keeping their cyber victimhood to themselves. It's not tough to figure out the reasons: Full disclosure could lead to a PR nightmare, driving away customers and partners and sending investors into a panic as stock prices tumble and the public clamors for the CXO's head on a platter. (Though maybe that's not really a valid concern -- LinkedIn's stock prices actually went up after the company disclosed its databases were breached earlier this month.)

The case in favor of companies sticking their necks out and disclosing breaches is compelling. In the short term, disclosing a cyber attack arms law enforcement and cyber security companies with actionable information to help squelch potentially widespread threats before they spiral out of control. That applies to newly discovered malware on a network or targeted data thefts that might turn out to be part of wider series of attacks against particular types of organizations.

Meanwhile, a company's customers, partners, and investors can act on those prompt disclosures, determine if they've been affected, and take the necessary actions. They likely won't be pleased to learn they could be at risk, but they'll be far more unhappy if they find out in a less pleasant way down the line -- say, in the form of mass identity or IP theft. That scenario could also come back to bite a company in the form of a major lawsuit.

In the long term, full disclosure gives the-powers-that-be a clearer picture of the magnitude of the threats from cyber crime and cyber terrorism -- both of which are increasingly becoming more prevalent, more sophisticated, and more damaging. The only viable solution to the overarching problem is to fix the Internet already (a point that InfoWorld's Roger A. Grimes has made time and again [PDF] -- and rightly so).

The only way to get that process moving is to first recognize just how significant the problem is. And there's no way to do that if victims of cyber crime aren't reporting them. The alternative is to sit around and wait for the cyber equivalent of Sept. 11 to affect massive, necessary change.

Here's hoping that more organizations step up to fight cyber crime, both by disclosing attacks they've suffered and by joining the call for making the Internet a safer place. The stakes are too high to cling to pre-Internet business practices.

This story, "U.S. companies still not being honest about cyber attacks," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.


Copyright © 2012 IDG Communications, Inc.