The EU’s information security agency has called on businesses and governments to be more transparent when they suffer security incidents.
"Large outages and large data breaches receive extensive media coverage, showing the importance
of cyber security in society," ENISA said in a report released yesterady. "Many breaches, however, remain undetected and if detected, are not reported to authorities and not known to the public. There is no overall view across the digital society of the incidents, the root causes or the impact for users.
"Lack of transparency and lack of information about incidents makes it difficult for policy makers to
understand the overall impact, the root causes and possible interdependencies," the report explained. "It also complicates the efforts in the industry to understand and address cyber security incidents.
"And finally, it leaves customers in the dark about the frequency and impact of cyber incidents," it said.
With Article 13a of the recent update to its telecommunications regulations, the EU introduced a requirement for telcos to report data breach incidents. There is a similar amendment in the proposed update to EU data protection law.
These requirements have drawn criticism, with London law firm Linklaters saying they "are extremely difficult to comply with and, in many cases, serve no useful purpose".
The ENISA report defended data breach notification policies. "Incident reporting is essential to obtain a true cyber security picture,” said executive director Udo Helmbrecht.