I was recently asked to explain companies’ rationale for failing to report cybercrimes. Each situation has unique reasons and justifications, but I decided to tackle the most obvious and human cause for such behavior – humiliation.
This is not a new trend. Businesses often resist reporting cybercrimes for the same reason that many hate their own mistakes and embarrassments being publicized. Nobody wants to seem incompetent, and being the victim of cybercrime makes companies seem less than competent. Even if the attack is brilliant and unpreventable, the general public and regulators tend to blame the victim in these cases for not protecting consumer or employee data.
Not having an agreed-upon data security standard is one of the most serious issues we face. Regulators are tasked with enforcing laws that require adequate and appropriate data security. However, we have no measure to determine what is adequate or appropriate. Serious (and not easily understood) analysis is required to establish whether a company’s security was reasonable and well planned. This analysis requires deep understanding and nuance of the sort that regulators and the general public often don’t have time for.
In 2003, the Antwerp Diamond Exchange was robbed of over $100,000,000 of diamonds and precious metals. The Exchange was several floors below street level with some of the most advanced security measures in the world. Yet it was robbed anyway because people spent years becoming insiders into that system in order to break into it. Was the Exchange’s security poor? No. Was the theft conclusive evidence of incompetence by the Exchange? No. Any system can be broken and there is no such thing as perfect security. We have a culture of victim-blaming in cybercrimes. This is another branch of the twisted psychological statement about victims of physical crimes, expressed as “he had it coming.” If there was a crime the victim must have done something to encourage it.
Company executives are aware of this cultural problem and loath to admit being vulnerable to such problems. And when they do, often reality beats them down. In the 90s, one of the major banks lost more than $2,000,000 in a hack, but handled the matter well, arranged for the capture and imprisonment of the hacker and none of their customers lost any money. When the bank announced this success, its stock fell precipitously as all the markets could comprehend was that this particular bank (and therefore all big banks) was vulnerable to cyber theft. All bank stocks took a hit.
Announcing a cybercrime and demonstrating care and competence in addressing a data subject's pain often leaves a positive impression without significant lingering damage. In this day, where a company shows competence dealing with a successful attack, the company can minimize reputation damage and come back strong. But for executives worried about their bonuses and jobs, it is hard to believe that negative news will not hurt in a significant way. So many of them resist making announcements unless required to do so.