There is a difference between what gets reported, and what is the truth. That fact should be obvious but is worth repeating because people keep forgetting it. If you do not identify a fraud that does not mean there was no fraud. Companies can inflate the revenues they report, and some of them even get into trouble for it. The recurring gap between the reports and the truth is what justifies the employment of every assurance professional everywhere. And technology trends mean we must be conscious of the bitter struggle on the new front line for assurance: the difference between the data breaches that have been reported and the data breaches that have actually occurred. You, or your customers, will suffer the consequences of a breach even if you failed to identify it. And people are realizing that covering up breaches is not a cool thing to do.
The motive for hiding a breach is straightforward: people assume your security is fine until it is demonstrated that it is not. The business can under-invest in security, can hence generate fatter profits, and suffer no consequences for its security failings. However, there are always consequences. Hackers steal data to exploit it. A business that covers up a breach is setting itself up for a bigger fall when the dots are finally joined and victims discover who was at fault.
More generally, the massive rise in data breaches will undermine trust in general, even if lax businesses seek to evade their responsibilities and under-report the breaches they have suffered. Instead of everybody assuming security is fine, people can grow cynical, and assume nobody has dependable security, until proven otherwise. The banking industry is learning that now. A recent Reuters article argues:
Britain’s banks are not reporting the full extent of cyber attacks to regulators for fear of punishment or bad publicity, bank executives and providers of security systems say…
But while saving them from bad publicity or worried customers, failure to report more serious incidents, even when they are unsuccessful, deprives regulators of information that could help prevent further attacks, the sources said…
Banks are increasingly sensitive to the brand damage caused by IT failings, perceiving customers to care just as deeply about security and stable service as loan or deposit rates.
Yahoo seemed to be a badly-run business that delivered poor shareholder returns compared to its rivals, and was only buoyed by takeover speculation. Their underperforming executive team had every reason to delay disclosure of a massive breach, until a buyer had been found. Not surprisingly, Verizon cried foul when they learned they were buying a business which had kept shtum about a hacking attack which materially impacted Yahoo’s value. Instead of getting away with the non-disclosure, the trickery risked putting Yahoo in a weaker bargaining position, as explained by one analyst who spoke to Reuters.
Roger Entner, an analyst at Recon Analytics, said “Verizon is rightfully upset about Yahoo not properly disclosing the breach.”
He said Yahoo would most likely have to consider renegotiating the price with Verizon, if it came to that.
“I don’t think it has much of a choice. Who else would want to buy them?” Entner said.
Another problem with cover ups is that they encourage a continuation of bad behavior, and the longer that behavior persists the worse the eventual comeuppance. Just ask Volkswagen if repeatedly cheating emissions tests, and kidding themselves that they would eventually find a way to pass the tests without compromising performance, was wiser than simply making cars with poorer acceleration.
Big businesses like telcos are increasingly obliged to disclose breaches in order to comply with data protection laws. It is safe to assume that some will break the rules, others will bend them, and some will be so hopeless that they will remain genuinely unaware of them. (The latter claim of incompetence should be henceforth known as ‘the Yahoo defense’.) There will be natural reasons not to look for shortcomings, but increasing penalties for failing to do so. The balance is being tipped in favor of transparency.
The reinvigorated demand for transparency in this area also provides a positive opportunity for assurance professionals. As stated above, assurance is about closing the gap between what is reported and what is real. Corporations will be at increased risk if they fail to comply with requirements for openness about data breaches. If businesses cannot lie about data breaches to others, there is less reason for them to hide the truth about fraud, or theft, or any other loss associated with inadequate security. The internal change in culture will also encourage them to be transparent in associated areas. And if the business is not prepared to lie to people outside its walls, it should also find it easier to be honest with the people working inside them. This can only be a good thing for assurance professionals.