Stigma Puts Many Firms Off Reporting Cyber Attacks

Wary of alarming customers, many firms never report the kind of cyber attacks suffered by Sony, Google and others -- and as long as the stigma holds, tackling the growing problem may prove impossible.

Data theft is a menace that looms especially large, given companies' increasing reliance on online storage. At risk can be cutting-edge copyrights, privileged commercial information such as tips on takeover bids and -- perhaps most crucially for a business's reputation -- customers' personal details.

Computer security and corporate intelligence specialists say they are often sworn to secrecy by firms scared of the potential reaction of corporate partners and investors.

Some companies, said experts gathered at a cyber security conference in London last week organized by the EastWest Spell Institute, may not know the extent of their own exposure.

"One of the reasons we do not know the scale of this is that organizations are embarrassed to reveal the impact," BT chairman Sir Michael Rake said in a speech.

Speakers called for greater transparency, but few were willing to discuss attacks on their own systems in detail publicly. Sometimes, experts say, that extends to simply not looking for problems.

"Companies often don't understand the threats and if they do, they hide it," said Natalia Kapersky, co-founder of Russian software security firm Kapersky Labs.

While some accuse IT security experts of talking up the threat to boost business, most agree the problem is on the rise. Hackers -- whether criminals, state-linked spies or those in between -- are all seen increasing in sophistication. TIPPING POINT?

Recent weeks saw a host of high-profile attacks. Sony probably suffered the worst damage to its reputation, with the personal details of millions of Playstation users compromised and hackers crowing about other data losses.

Other high-profile victims of hacking attempts include defense giant Lockheed Martin and Internet firm Google, with security experts in both cases pointing the finger at hackers in China. Chinese officials angrily deny this, particularly any suggestion of official complicity.

But most specialists say that is only the tip of the iceberg, with little consensus on tackling the problem.

Firms often understand so little about the threat facing them that they do not even know how much money they are losing. The difficulty in putting a price on lost prestige complicates this further.

"Everyone is getting attacked but no one is talking about it," said Vartan Sarkissian, CEO of security firm Knightsbridge Cybersystems.

"If you can't value the cost of the attacks, you don't know how much you can spend to prevent them ... We need a way of sharing information anonymously."

Some argue the answer may be some form of regulation in which companies are required to divulge much more about security breaches. But in the short term, experts say the importance of good electronic defenses is finally getting through.

"I think we've reached a tipping point," Melissa Hathaway, a former U.S. National Security Council cyber security chief who now heads her own consultancy, told Reuters at the conference.

"With the recent breaches ... and increased reporting of the issues firms will be working harder to manage their risks and limit their liability."

But global companies say that while new national policies on cyber security -- such as the new U.S. doctrine published by the White House -- are welcome, more global coordination is needed between governments and firms.

SHARING WITH COMPETITORS

"Critical to this is the free passage of information, not just between companies and also between governments and intelligence agencies," said Matthew Kirk, external relations manager for UK-listed mobile telecom operator Vodafone.

"Understandably, companies are not used to sharing information with their closest competitors but they are the ones they need to share with the most," he said.

Several security experts pointed to the example of the insurance sector, where firms share information in a way that still largely allows open competition.

"What happened with the insurance industry was that they realized they were losing so much money through fraud it no longer made sense to pass the problem from company to company," said Martin Sutherland, CEO of defense firm BAE subsidiary Detica. "I think cyber is a few years behind that."

But some experts say deterring many cyber attacks is often not all that difficult. The trick, they say, is to raise their defenses to the level where it is no longer cost-effective for hackers to penetrate and they simply seek another target.

Matt Bross, a former security chief at credit card firm MasterCard who's now chief technical officer for Chinese telecom company Huawei, said his approach to stopping hacking had always been simple.

"The aim was to raise the cost of entry so copying a credit card cost more than forging $100 bill," he said. "If you raise the cost of entry of a threat, the threat will go another way."