are-companies-under-reporting-breaches

Posted by:

admin 15 years, 11 months ago

A while back, I read in Brian Krebs' blog that "colleges and universities were more than twice as likely to report a breach as any other entity, followed by government agencies (17 percent) and businesses (15 percent)." (Emphasis mine.). A well-worded sentence that got me to wondering if significant under-reporting occuring.

I think people assume that .edu hosts are more likely to get hacked because they

Why would .edu hosts report getting hacked more than businesses? Here are some possibilities:

1. Educational institutions traditionally have more open networks
2. Businesses have focused more on security than educational instituions
3. Schools, in particular colleges are more likely to be required to disclose because their students come from states that have disclosure laws.
4. Educational institutions have the data that hackers seek - they are richer targets.
5. Educational institutions suffer less due to breaches.
6. There are more educational targets than business targets.
7. Businesses are under-reporting breaches or are not required to notify under current laws.

I think that 1, 2 and 3 are legitimate factors. I think that 4 and 5 are dubious because companies also have data that hackers seek and universities are getting hammered by PO'd alumnae for losing data.

As for number 6, it is difficult to know how many "targets" there are. However, you might use the total number of internet hosts as a proxy. According the lhe latest data from the Internet Systems Consortium there are 48,688,919 .com hosts on the Internet and 7,576,992 .edu hosts on the Internet. There are 6.43 times as many .com addresses as .edu. There are over 100,000,000 .net hosts as well. There are some issues with these numbers. Many commercial enterprises have .net domain names and many ISPs have .com addresses. However, it doesn't seem to me that educational institutions should report 2x the breaches when they have 1/6 the number of hosts.

It certainly is possible that there is under-reporting occuring. There are substantial penalties involved with a breach at a commercial entity. It may be that at a company, the person that discovers the breach is also the most likely to be responsible for security. Universities may have more employees that touch or monitor systems. The increasingly stiff penalties certainly create an incentive to not report a breach. It is also possible that many breaches have occurred at companies where disclosure was not required. I certainly don't have any answers, but it just seemed strange to me that there would be so many educational breaches when there are only around 4,000 universities in the US (source: infoplease) .

• Tags:
• Security and Economics,
• Information Security

Share on Twitter Share on Facebook

• ← Can the WiKID Server and/or Token be embedded?
• on-the-short-tenure-of-cisos-and-low-frequency →