Undetected Breaches Instill False Sense of Security


Speak No Evil, See No Evil, Hear No Evil by Allson Curtis 5.5.09

If a security breach happens, but no one knows about, is it still a breach? According to a study of small to mid-sized Registered Investment Advisor (RIA) firms, a lack of detection appears be to giving a false sense of security. Here are a few interesting statistics from the study:

  • Only 4.1 percent of firms indicated they had experienced a cybersecurity incident.
  • Only 1.1 percent indicated they had experienced theft, loss, unauthorized exposure, or unauthorized use of or access to confidential information.
  • 38 percent of the firms surveyed said they don’t conduct any risk assessments to identify threats and vulnerabilities
  • While 92 percent of firms use e-mail to contact clients, only 50% of the firms use secure e-mail.
  • Only 44 percent of firms having policies and procedures or training in place related to cybersecurity.
  • Only 47.5 percent of firms report having policies and procedures or training related to the disposal of electronic data storage devices.

Given the lack of security assessments, policies and technology, it’s difficult to believe so few firms have experienced a breach.  The percentage is so low that firms likely either did not self-report accurately or are simply unaware that breaches had happened. In this Wealth Management article about the study, Neal O’Farrell, the founder of cybersecurity firm Privide says he doesn’t believe those figures because companies are often the last to know when a breach happens.

“They [Target and Home Depot] saw nothing,” he says, noting it was only after tens of millions of customer emails were suddenly for sale on the black market that it triggered an investigation and eventual notification. “The notion of saying that we haven’t been hacked because we’ve not noticed a breach is nonsense,” O’Farrell says.”

If only 50% of the firms surveyed are using secure email, it makes you wonder why the other 50% are not. Do they think it’s too complicated,  too expensive, or requires too many IT resources that they don’t have? Cloud-based secure messaging like Cirius Messaging has made email encryption accessible to the SMB market. It deploys in minutes, integrates with your existing email and requires minimal IT management. You can check it out by signing up for a free trial.