Tip of the cyber iceberg

I recently participated in a briefing where some troubling metrics were disclosed. It seems we are not getting a clear picture of the number of cyberattacks and breaches that are occurring even though these malicious actions have been uncovered.

During that briefing, one survey was mentioned that reportedly found that about 10 percent of those responding claimed to report breaches and losses only when legally required to do so. The survey also showed that approximately 60 percent of organizations pick which breaches to report.

The observation is supported by another data point that came out in the briefing, which is that e-mail messages leaked by insiders show that a number of companies have chosen not to publicize breaches that occurred as far back as 2010. Based on these metrics and this information, it is clear we are only seeing the tip of the cyber iceberg. Our cyber intelligence is at best incomplete, and the worst case scenario is that it misleads us about the magnitude of the problem.

Cyberattacks, cyber espionage and cyber breaches now dominate the threat environment of businesses, government organizations, the military and individuals. These threats continue to evolve at a rapid pace and have now become the greatest threats to our national security. We have failed across the board. Organizations have not adopted a proactive approach to cybersecurity and managing data breaches. Some expect the government to pick up the tab -- they have asked for incentives -- for securing their systems.

A recently released report authored by from Carnegie Mellon University's CyLab found that boards and senior management still are not exercising appropriate governance over the privacy and security of their digital assets.

Cyberattacks on computer systems and associated devices are a foreseeable risk. I can think of a great incentive: those who do not take appropriate actions to protect the systems that make up our critical infrastructure will face claims of negligence.