Thycotic Survey Findings Show Double Standard on Reporting Security Breaches
June 2018 by Thycotic
Thycotic announced findings from its survey conducted at the 2018 RSA Conference. The survey, which included responses by more than 250 cybersecurity professionals, revealed that security professionals are exhibiting double standards surrounding incidents and breach reporting.
According to the survey, 84 percent of respondents wanted to be notified immediately if a company they worked with had experienced a breach. Yet, only 37 percent of these same cybersecurity professionals would notify customers right away if their organization was breached.
Just as disturbing was that many cybersecurity professionals would not go on record to admit that their organization had been breached. Only 32 percent of security experts admitted that their companies had been a victim of a cyberattack in the past 12 months. However, many respondents indicated, “I wouldn’t tell you even if we had experienced an incident or breach.” In addition, nearly one out of six respondents admitted they had experienced a data breach and kept it a secret from the public or unsuspecting victims, which could be the result of pressure from executives or board members since these incidents could have a major negative impact on the business.
“The message we are getting from security professionals’ responses are that if a company they do business with has experienced a data breach, they want to be notified as soon as possible. But they appear reluctant to reciprocate when an incident occurs in their own organization,” said Joseph Carson, chief security scientist at Thycotic. “When it comes to breaches, transparency is key and preparing an incidence response plan can help companies be ready so that they can minimize the damage that such a serious event can cause to not only their company but to that of their customers.”
While the findings around double standards on breach and incident reporting were concerning, Thycotic also found that progress, while uneven, was being made when it came to incident response planning.
Additional survey findings include:
• 56 percent of security experts confirmed they have an Incident Response plan in place and tested
• 20 percent have prepared a contact list and communications to manage an incident
• 12 percent have conducted “Red Team” training with their executives
• 10 percent have got a public relations team prepped to manage incident communications, and legal team advisors ready
“In an age when experiencing a data breach seems almost inevitable, a solid incident response and recovery plan can reduce data breach costs significantly as well as avoiding a devastating negative impact on brand and customer loyalty,” added Carson. “While these results show some progress is being made in this area, there is a lot more that can be done.”