Apparently, executives at Davos are harboring a terrifying secret that they reveal only to journalists at gatherings of the global elite: their companies are seeing a tidal surge in cyber-attacks. Writing in the Financial Times this week, Gillian Tett suggests cybersecurity is becoming a worry for companies in 2013 the way credit derivatives were in 2007—and that, as in 2007, nobody wants to talk about it:
“In recent months, some companies (such as HSBC, Wells Fargo or Lockheed) have been forced to admit to suffering cyber attacks, after the penetration has become visible. But this is just the tip of a vast iceberg, and the overwhelming majority of companies today are terrified of talking too publicly about the issue, for fear of suffering stigma or sparking panic.”
Few companies will reveal much about the breaches or attempted attacks they’ve suffered in their annual reports. Governments are trying to change this. Last year, US President Barack Obama tried to push legislation that would have required companies to share more information, and set security standards for critical infrastructure. Republicans blocked the bill on grounds that it would burden businesses with more regulatory obligations, but Obama is now modifying the bill into an executive order.
Perhaps none of the fearful business leaders at Davos were among the nearly 10,000 executives that PwC polled for its recent report on information security around the world. Most of those polled considered their companies to be “information security leaders.” PwC, not suprisingly, suggests that this confidence is misplaced. While its survey should be taken with a pinch of salt, since PwC sells security consulting services and therefore has an interest in putting the scare on companies, some of the findings are intriguing.
For instance, the study shows that the external economic environment has a somewhat bigger influence on security budgets than actual security concerns:
Apparently, companies are also seeing a decline in the use of some basic information security detection technologies. (PwC doesn’t list all the technologies it asked about or reveal whether the use of some other technologies increased.)
Similarly, the report finds that there’s been a relaxation in various security policies and in safeguards related to people (pdf, p. 14 and 20) .
However, security practices do seem to have improved in one area. Though PwC says organizations are “keeping looser tabs on their data now than they did in years past”—without giving numbers—its research shows that more recently they have gotten slightly better at it:
This improvement in data protection might conceivably be because of some well-publicized leakages in the last couple of years of large troves of data online—from the Wikileaks archive of US diplomatic cables to customer databases from companies like Sony, Zappos, Stratfor and Gawker—which have shone a spotlight on the privacy risks of storing such data. If so, it suggests that forcing companies to be more transparent about the cyber-attacks they’ve suffered, as Obama is proposing, might indeed give them an incentive to take better precautions against those too.