Security Breaches: What You Don't Know CAN Hurt You

Security Breaches: What You Don't Know CAN Hurt YouA new report from the European Union's cyber-security agency reveals a disturbing – but sadly unsurprising – fact: Most security breaches generate no timely protective response because the breaches never get reported.

The report by the European Network and Information Security Agency (ENISA) applies specifically to cyber-security conditions in the EU. But there is no reason to believe that security reporting is any better elsewhere, including in the US.

The scope and consequences of cyber-security breaches are far-reaching. And by now, some of those breaches are well known. Just within the EU, a British data center failure in 2011 blocked millions of business messages worldwide. A security certificate provider was compromised, also in 2011, exposing more millions of communications. And earlier this year yet more millions of business passwords were exposed.

But these are only the breaches we learn about. If breaches are not reported, we have no idea which users, or how many of them, have been exposed. And the users are left unaware of the risks they face.

According to a statement by the EU report's authors,  Dr. Marnix Dekker and Chris Karsberg, "cyber incidents are most commonly kept secret when discovered, leaving customers and policymakers in the dark about frequency, impact and root causes."

The linked article does not go into the causes of incident non-reporting, but they are not hard to guess. The problem is rooted in human nature.

No one likes to hear bad news. And no one wants to be the bearer of bad news – especially to the boss, or your firm's customers. But reporting security breaches is the vital first step in taking protective measures. If problems go unreported, they will only fester, and probably get worse.

At GRT Corporation we believe that one basic key to protecting security is to foster a culture of openness and proactive response. Security-savvy executives – and customers – will understand that prompt notification of problems is a sign of good security practices. But this basic truth often needs to be emphasized.

Don't put your hands over your ears. It won't make the problem go away. Security begins with awareness.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."