The Problem With Breach Surveys

I just read this alarming post citing a survey performed by an insurance company indicating that 29% of US businesses suffered a data breach.  I suspect that most people are well aware that such a survey of 403 senior executives almost certainly can’t be extrapolated in any meaningful way*.  The more important issue with these numbers, as compared to say, the rate of US companies suffering losses from a fire, is that the harm isn’t necessarily recognizable as such.  By that I mean that businesses generally can tell with a high degree of precision if they had a fire in the past year, but that isn’t necessarily true of breaches.  The only reliable response is an affirmative response (“why yes, we did have a breach last year”).  Any other response is really saying “no, we didn’t have a breach that we know about”.  This is pretty significant, because it means that the real rate of corporate breaches is likely much higher.  We have numerous examples (read: Yahoo!) of larger, more sophisticated companies going years before recognizing that a breach occurred.  Depending on the intentions of the adversary involved, less sophisticated companies might never come to realize they were breached.  That raises an interesting question: if a tree falls in the woods and no one hears it, did it make a sound?  I mean, if a company is breached and never recognizes that it happened (and hence never suffers any ill consequences resulting from the breach), does anyone really care about it?  Sure, the harm may be subtle, such as a foreign competitor releasing a competing product without having to invest the R&D expended by the breached company, or the breached company’s clients being harmed in a way that isn’t attributed to that company.

Tautologically , we don’t know how often these happen because we don’t know when they happen.  I strongly suspect if we were able to place the “BREACH DETECTOR 9000 NOW WITH REDUNDANT BLINKY LIGHTS(tm)” that could identify every single breach on every company network, we would find that the rate of breaches is far higher, possibly “almost certain“.  Would security programs and IT departments act differently if the report instead read that “95% of US companies were breached in 2017″?

* Ok, so maybe it would be valid as”29% of US companies whose senior executives we would be able to obtain a response from experienced a breach in 2017”.