Why executives shy away from security disclosure

Canadian enterprises may be even more afraid of falling stock prices than hackers, computer viruses, and worms that could bring their IT infrastructure to a halt, according to a research report released Tuesday.

The Royal Canadian Mounted

Police teamed with security vendor Symantec Canada to sponsor the “”Pulse of Internet Security in Canada,”” which was researched by the Branham Group. Data in the report comes from a survey of 150 “”C-level”” employees, such as chief executive officers and chief financial officers. While 73 per cent of respondents indicated they are spending more on IT security than they were 18 months ago, only 50 per cent said they would admit to a security breach. The most common reason for failing to disclose breaches was a fear that the information could have a detrimental effect on the company’s stock price or financial performance.

The issue of disclosure has plagued the IT community for years, said Symantec Canada general manager Michael Murphy, who said his company is typically involved after an incident has already occurred in order to conduct a post-mortem and prevent future attacks.

“”It doesn’t become a finger-pointing exercise,”” he said.

Luc Filion, the RCMP’s Officer in Charge, Technical Security Branch, said anonymity can help ease the process when companies turn to the authorities for help. The RCMP gets involved in IT security attacks whenever the local police force or provincial police request help or where it is the RCMP’s area of jurisdiction. (Only Ontario and Quebec have their own provincial police forces.)

“”Sometimes the company will say they want us to investigate but they will not prosecute and want it kept at a confidential level,”” he said.

Filion said encouraging the reporting incidents is of crucial importance to the RCMP, which tries to form tighter links with other local, national and international law enforcement agencies.

“”Internet crime is most of the time an international crime,”” he said.

CEOs were more likely to admit a breach at 58.6 per cent versus non-CEOs at 41.4 per cent, according to the survey. Murphy said that those who said they wouldn’t report an incident may need further education about what kind of policies determine their reporting practices.

“”I think it’s this unwritten rule that this policy exists, but show me the policy,”” he said. “”Most organizations have a communications policy and maybe it falls under that, but it’s probably not very well defined.””

Filion said each of the government’s departmental security officers explore issues at the committee level on a regular basis and are bound by IT operational security standards put forth by the Treasury Board Secretariat. A new standard will be finalized in the fall, he said. Data from the report will help the RCMP give strategic advice to the public sector on government security spending, Filion added.

Of those who would admit to a security breach, 86 per cent would report a future incident, the report says. The breach’s cost or legal impact to the company would determine whether it would be reported, respondents said.

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+