Responsible disclosure: how should bugs be made public?
Should security-breach data be included in your quarterly business reports? The Information Systems Audit and Control Association (ISACA) certainly seems to think so, although there’s as yet no legal obligation to report breaches to the UK Information Commissioner’s Office (ICO).
However, since 6 April 2010 the ICO has had the power to impose fines of up to £500,000 for having inadequate security that leads to a “deliberate or negligent” loss of personal data.
Combine this lack of legal requirement to report with the fear of a fine and it’s hardly surprising so few companies come forward.
The ISACA – a not-for-profit IT security organisation, which among other things administers risk certifications – says we need to know how much data is being lost, and it believes that mandatory reporting of all breaches to the ICO would achieve that.
Them and us
In 2006, I was voted IT Security Journalist of the Year for the first time, and one of my first official engagements was to address a select crowd of CISOs and directors of security from high-street banks, government and big business: my topic was the need to build a better relationship between media and business over security issues, and I focused on the debate about disclosure.
Four years ago it was very much a “them and us” scenario, with businesses doing everything they could to prevent knowledge of breaches escaping beyond the boardroom, and the media in a feeding frenzy whenever the smell of a breach wafted in our direction.
I suggested that we needed more trust between the two sides were we ever to reach a point where businesses could disclose breaches and have them reported without red-top tabloid sensationalism.
I’m glad to say that, on the whole, security journalism has matured enough to report breaches rather more sensibly these days, but far too many companies are still very reluctant to disclose them in the first place.
Don’t get me wrong, I wear a security consultant’s hat as well as a journalist’s one and understand business security culture. That means I know all about reputational risk and the deep – if often misguided – fear of exposure as a company that doesn’t care about security or client privacy.
Many companies are, despite the lack of any legal requirement to disclose, still quite fearful of the ICO’s big financial penalty
I also know that many companies are, despite the lack of any legal requirement to disclose, still quite fearful of the ICO’s big financial penalty.
At the smaller end of the SME scale where I ply my consultancy trade, this fear is driven purely by the financial consequences of a potentially six-figure fine, which as they struggle to escape the recession might actually precipitate a corporate collapse.
At the bigger end of the enterprise scale it’s an altogether different type of fear, but it’s so strong I can smell it from here: it’s that reputational thing, brand damage and all that means in terms of competitive disadvantage.
None of the big boys want to be first to get hit with the ICO’s big stick, with all the adverse publicity that becoming the founder member of the £500,000 Insecurity Fine Club would bring.
The clever money – and I’ve seen plenty of evidence of this out in the real world – pays for a savvy IT department that does everything it can to keep up with the latest threats, but unfortunately I’ve also seen plenty of evidence that the recession has compelled some companies to freeze their security budgets.