What A Difference A Breach Makes

What if there was a publicly available document that told you the relative importance that any given firm assigns to cyber security. Not just a passing nod, but genuine, top-down indication of board-level buy in. That you could just access online, for free.

Could you even use it to predict the likelihood of one firm being breached over another?

Well, perhaps this document already exists; introducing the humble annual report – also known in the US as form 10-K.

The annual report is one of the more useful methods of gaining insight into a company. With the media today dominated by PR, marketing and spin, an annual report remains a source of clarity, where shades of grey do not and cannot legally apply. As such, if something makes it into the annual report, it’s fairly important. If it’s mentioned several times, it’s very important. If it’s hardly mentioned at all – well – it’s clearly not a priority.

Which leads us on to cyber security.

This article examines the frequency that ‘cyber’ and related security phrases (namely ‘information security’ and ‘data security’), occur in the annual reports from a range of enterprises spanning over a decade. Some, such as Equifax and Marriott, have been subject to recent ‘megabreaches’. Others – including Adobe and Anthem - were hacked a few years back, while others among the firms looked at are yet to face such a crisis.

Pre breach - hacked organisations typically talk less about cyber

In the high-profile breach cases examined in this article, the significant majority demonstrated a below-average frequency of references to cyber security in their annual report, in the year prior to the breach. In notable recent cases, such as at Marriott and Yahoo, there was not much more than a basic acknowledgement of cyber-risk - well under half the average frequency measured in this study. At Equifax, which we will come to later, the annual report - pre-breach - contained just a quarter of the references to cyber security that would be expected.

The chart here is pretty clear - before they are breached, hacked firms talk less about cyber. But what does this actually mean? Can we say that organizations with fewer references to cyber security in their annual reporting are less security mature and more likely to be breached? Or, more likely, that security is not high enough on the agenda for the board and executive to feature it in their flagship report?

With the annual report being such a significant communications tool, what we can certainly do is use it as an indicator as to the strength of top-down security culture in an organization.

In a slightly more sinister vein, it's also entirely plausible that organized and well-drilled cyber-crime groups follow a similar process as part of open source intelligence, to identify victims perceived as lower hanging fruit. Before engaging with any organization, you read their annual report - surely you'd do the same before attempting to hack them. In a world of cyber-defense where you often only have to be as strong as those around you, should companies should take note and consider this an early warning?

A case in point - Equifax

While we could examine any number of these firms – Equifax stands out as a case study due to the post-breach scrutiny placed upon it by the US Government.

Indeed, a Senate committee investigating the breach called Equifax out for its;

‘inattention to cybersecurity’ and a ‘culture of complacency to cybersecurity preparedness.’

This would be in-line with a lack of top-down security culture, which we can also infer by the scarcity of references to security in the annual reporting.

Above, we can see that in the year before it was hacked, Equifax made just four references to ‘Cyber, Information Security or Data Security’ vs a credit rating industry average of 17 (grey) and an overall US average of 16 (blue).

In fact, Equifax's frequency of four (dark blue line) matched the average for credit rating agencies back in 2008 – implying a full decade of under-prioritization of security by the company. As we know now, this was later confirmed by the US Government after its investigation.

The chart above shows the post-breach extreme could not be starker. The term ‘cyber’ is featured more heavily in Equifax’s report than that of leading cyber-security specialist FireEye, who have 117 mentions of 'cyber' to Equifax’s 139. To continue to the comparison, Equifax’s breach costs are currently running to $1.4bn over two years – while FireEye’s entire operating expense equal $1.4bn over the same two-year period.

Post-breach - there is nothing like being hacked to kick-start a proper cyber-security programme

It should come as no surprise to anyone that in the year post-breach, focus on cyber security in annual reports increases by an average of over 300%. You'd expect this, with references to what happened, the response, and the associated costs all racking up. What is more surprising, is that this increase is sustained in the years post-breach and does not fall back to the pre-breach state (in fact it continues to increase slightly).

It is a telling state of affairs that still today in 2019, despite countless warnings, case studies and an increase in overall awareness - it is often only being hacked that can really get cyber security high onto the board agenda in a sustainable way.

Perhaps one day this will change - indeed, a growing number of organizations' boards and executive committees are taking a serious and proactive view of cyber security, viewing it as a business enabler as well as a key risk. Until this mindset becomes mainstream though, the numbers above speak for themselves - there's really nothing quite like a breach.