As more companies come out of the closet about their Internet security being compromised, still more start to admit it. But many (perhaps most) don’t even know. Fortunately, there is a way the public can get a clue even about those companies.
Nicole Perlroth wrote for the NYTimes 20 February 2013 that corporations try to hide successful cracking of their Internet security:
Most treat online attacks as a dirty secret best kept from customers, shareholders and competitors, lest the disclosure sink their stock price and tarnish them as hapless.
However, as some companies come out of the closet about this (Twitter, Facebook, Apple, etc.) and such
revelations become more common, the threat of looking foolish fades and more companies are seizing the opportunity to take the leap in a crowd.
“There is a ‘hide in the noise’ effect right now,” said Alan Paller, director of research at the SANS Institute, a nonprofit security research and education organization. “This is a particularly good time to get out the fact that you got hacked, because if you are one of many, it discounts the starkness of the announcement.”
Now here’s the interesting part:
“I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly) with the great majority of the victims rarely discovering the intrusion or its impact,” Dmitri Alperovitch, then McAfee’s vice president for threat research, wrote in his findings.
“In fact,” said Mr. Alperovitch, now the chief technology officer at Crowdstrike, a security start-up, “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
In October 2011, the Securities and Exchange Commission issued a new guidance that specifically outlined how publicly traded companies should disclose online attacks, but few disclosures have come because of it.
“Quite frankly, since then, there hasn’t been an abundance of reporting on cyberevents despite the fact that they are clearly happening,” said Jacob Olcott, a specialist in online risks who managed a Senate investigation into the disclosure practices.
The best hope, Mr. Olcott said, is that as investors start paying more attention to the threats, they will demand that companies disclose them. “I wouldn’t hold my breath,” Mr. Elefant said. “There are an awful lot of lawyers out there trying to keep companies from exposing that these breaches are happening. And they are happening.”