To Disclose or Not To Disclose
Corporations must establish trust in order to be successful. Their customers must trust them. They’re shareholders must trust them even more. That trust is even more important when thousands or millions of customers depend on you to keep their personal and confidential information private.
Home users are leery of e-commerce in the first place. They hear horror stories and buy into media hype. Everyone has a cousin with a friend who bought something online with their credit card and subsequently had their bank account emptied.
Granted, in most cases its more urban myth than truth, but people still think this is a common occurrence and think twice about sharing their information.
Because of the caution with which many people approach sharing this information it is of paramount importance to the companies they share it with that they protect it at all costs. If the information falls into the wrong hands the customers will lose confidence and take their business to a competitor. If the customers take their business to a competitor Wall Street will lose confidence and take their business to a competitor as well and the company may cease to exist.
Understandably then, companies are more interested in quickly and quietly recovering from any hacking incident or security breach than they are in calling the authorities or bringing attention to themselves in any way. While they may harbor a secret desire to track down the culprits and bring them to justice (or just stone them in the public square), they are more interested in ensuring that the public at large, their customers and their shareholders do not find out about the breach of security.
Companies are especially reluctant to notify the authorities because of the US Freedom of Information Act. Because the US Freedom of Information Act makes virtually all government files and documents available to the public, the press or any individual who wanted to would be able to gain access to information not only that the company was hacked, but also many of the details of the attack and the infrastructure of the company which may make them susceptible to even further attacks.
The flip-side of this though is that the same hackers that infiltrated Company A may also have infiltrated Company B and Company C. When all three companies hush things up and carry on as if its business as usual not only are the hackers not caught, but nothing is learned or gained from the experience.
If the goal is to apprehend and prosecute the attackers, there may be a pattern or minor clues that can’t be seen when looking at only one instance and from one point of view. Perhaps Company A can’t find anything and Company B can’t find anything but if you put the information from the two hacking incidents together it provides a broader picture which sheds light on the source of the attacks.
Even if the companies involved genuinely don’t care to pursue the attackers, the information security world at large gains nothing when intrusion incidents are kept quiet. If Company A has their customer database hacked and 5 million customer credit card and social security numbers are compromised that is very bad for Company A and their customers. These same attackers might now go use the exact same exploit or methods to infiltrate Company B and Company C. Had Company A disclosed details of the attack on their database perhaps other companies could have taken the lessons learned and applied them to their own systems to prevent similar attacks from being successful.
Home users are leery of e-commerce in the first place. They hear horror stories and buy into media hype. Everyone has a cousin with a friend who bought something online with their credit card and subsequently had their bank account emptied.
Granted, in most cases its more urban myth than truth, but people still think this is a common occurrence and think twice about sharing their information.
Because of the caution with which many people approach sharing this information it is of paramount importance to the companies they share it with that they protect it at all costs. If the information falls into the wrong hands the customers will lose confidence and take their business to a competitor. If the customers take their business to a competitor Wall Street will lose confidence and take their business to a competitor as well and the company may cease to exist.
Understandably then, companies are more interested in quickly and quietly recovering from any hacking incident or security breach than they are in calling the authorities or bringing attention to themselves in any way. While they may harbor a secret desire to track down the culprits and bring them to justice (or just stone them in the public square), they are more interested in ensuring that the public at large, their customers and their shareholders do not find out about the breach of security.
Companies are especially reluctant to notify the authorities because of the US Freedom of Information Act. Because the US Freedom of Information Act makes virtually all government files and documents available to the public, the press or any individual who wanted to would be able to gain access to information not only that the company was hacked, but also many of the details of the attack and the infrastructure of the company which may make them susceptible to even further attacks.
The flip-side of this though is that the same hackers that infiltrated Company A may also have infiltrated Company B and Company C. When all three companies hush things up and carry on as if its business as usual not only are the hackers not caught, but nothing is learned or gained from the experience.
If the goal is to apprehend and prosecute the attackers, there may be a pattern or minor clues that can’t be seen when looking at only one instance and from one point of view. Perhaps Company A can’t find anything and Company B can’t find anything but if you put the information from the two hacking incidents together it provides a broader picture which sheds light on the source of the attacks.
Even if the companies involved genuinely don’t care to pursue the attackers, the information security world at large gains nothing when intrusion incidents are kept quiet. If Company A has their customer database hacked and 5 million customer credit card and social security numbers are compromised that is very bad for Company A and their customers. These same attackers might now go use the exact same exploit or methods to infiltrate Company B and Company C. Had Company A disclosed details of the attack on their database perhaps other companies could have taken the lessons learned and applied them to their own systems to prevent similar attacks from being successful.
Source...