Companies pick and choose which data breaches to report

One in 7 information technology companies have not reported data breaches or losses to outside government agencies, authorities or stockholders.

In addition, only 3 out of 10 said they report all data breaches and losses suffered related to intellectual property, while 1 in 10 organizations will only report data breaches and losses that they are legally obliged to report, and no more. Six in 10 said they currently “pick and choose” the breaches and losses of sensitive data they decide to report, “depending on how they feel about them.”

MORE ON DATA BREACHES: The Ponemon Institute’s data-breach calculator

Those were some of the key findings from a McAfee and Science Applications International Corp. (SAIC) survey that queried 1,000 technology managers in the U.S., United Kingdom, Japan, China, India, Brazil and the Middle East on questions about intellectual property and security.

The report, entitled “Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency,” said the main reasons for not disclosing data breaches are fear of media coverage, damage to the brand and shareholder value. “The admission of a significant vulnerability could flag other attackers so very few companies are willing to be public about intellectual capital losses,” the report says (see “‘Political’ cyberattacks hit half of large companies“). 

John Dasher, senior director of data protection at McAfee, said that “losing some of your crown jewels” would in theory be considered a matter that should be disclosed to shareholders as important information of material interest or for other legal reasons.

“But most of them aren’t reporting,” says Scott Aken, vice president for cyberoperations at SAIC, who called the survey results surprising. Another finding of the survey, that about 25% of the organizations “had a merger or acquisition or product rollout stopped by a data breach,” was also a surprise to Aken. “Sometimes companies don’t know they had a data breach and only find out months later,” he said. It disrupts operations.

The report also says the economic recession has impacted how organizations are looking at where they store sensitive data such as intellectual property, proprietary information and trade secrets.

“More than half of organizations studied are reassessing the risks of processing data outside of their home country due to the economic downturn, compared to 4 in 10 in 2008,” the report states. Countries that have “leniency in privacy and notification laws” are attractive to organizations. But 9 out of 10 organizations that store sensitive information abroad do view some countries as safer than others. China, Russia and Pakistan were considered the least safe, while the U.K., Germany and the U.S. were seen as the safest.

The McAfee/SAIC report argues that the target of cybercriminals is shifting from stealing things like credit cards and Social Security numbers to sensitive and proprietary content that can be sold on the underground market to foreign competitors or governments (see “‘Night Dragon’ attacks from China strike energy companies“).

Read more about wide area network in Network World’s Wide Area Network section.