While it is has become generally well-known that enterprises have a problem dealing with cybercrime, the true extent of the problem is much worse than many realize. In fact, even the entities that really ought to know the reality – such as legal and regulatory authorities – are generally in the dark about how many incidents are occurring and how severe they are.
In ISACA’s recently released State of Cybersecurity 2019 research, a combined 75 percent of security professionals responding to the survey assert that most enterprises underreport cybercrime, including 50 percent who believe that organizations underreport cybercrime even when legally required to report it. There is a well-known saying that the first step to solving a problem is acknowledging that there is a problem, but these numbers suggest that enterprises still would prefer to sweep cyber incidents under the rug than to face the often unpleasant realities of today’s threat landscape. There are a number of reasons why organizations resist reporting cyber incidents, but the failure to disclose incidents is short-sighted and ultimately opens the enterprise to far greater risk in the long-term.
An obvious starting point for why organizations are reluctant to report cybercrime is impact on brand name and customer trust. But this propensity for organizations to avoid reporting cyber incidents to the appropriate legal and regulatory authorities invites public relations debacles that result in far greater trouble down the road. Aside from the direct financial costs associated with cyber incidents, the damages to brand reputation and customer trust can be even more difficult from which to rebound. If organizations can demonstrate to the public that they made good-faith efforts to disclose the details of the incident and then mitigate the damage to the best extent possible, there is a fighting chance to rebuild customer relationships. Conversely, if the consequences of a breach are followed up by what is perceived as a cover-up, those customer relationships become near impossible to repair, and the executives involved with that unwillingness to accept accountability likely will see their careers permanently tarnished.
When the instinct to avoid embarrassment is not to blame for failing to report cyber incidents, the culprit might be a feeling that there is nothing to be gained from reporting the incident. Whereas when organizations are victimized by a physical break-in resulting in stolen property, a call to law enforcement is the natural next step – and likely would result in an investigation leading to an arrest – organizations are much less confident that legal authorities can help them recover stolen data or prevent the spread of digital assets stemming from cyberattacks. This, too, is a misguided reason not to report, especially as law enforcement agencies are beginning to develop more sophisticated capabilities when it comes to fighting cyber crime with each passing year. This trend will continue as public expectations mount for local law enforcement to take digital crime as seriously as enforcing parking meter violations and other traditional crime that commands their attention. Correspondingly, the amount of resources devoted to fighting cybercrime must increase to make it more realistic for law enforcement to be a viable partner in helping organizations respond to cyberattacks.
The unwillingness to report cybercrime is problematic on multiple levels. In the UK’s National Strategic Assessment of Serious and Organised Crime for 2018, it is noted that “underreporting of data breaches continues to erode our ability to make robust assessment of the scale and cost of network intrusions. Many companies are not disclosing data breaches, putting victims at risk.” The report also indicates that the public’s confidence in law enforcement’s ability to respond to cybercrime is impacted by the widespread underreporting of these incidents. In the bigger picture, the lack of trustworthy statistics around the volume of cyber incidents does a disservice to organizations of all types and sizes around the globe. Think about how much easier it would be for boards of directors to justify allocating greater resources toward cybersecurity if they had more credible and comprehensive data on the prevalence and nature of incidents from which to base their decisions.
Perhaps the evolving regulatory landscape will help mitigate this deeply ingrained problem, with the high-profile General Data Protection Regulation (GDPR) now adding to other regulations that put responsibility on organizations to report data breaches and other security incidents. There are plenty of common-sense reasons why organizations should accurately report cyber incidents, but if it takes regulatory pressure to provide additional incentive, so be it. In almost all cases in life, forthrightness and transparency is a better option than hoping others will not notice what is really happening. That certainly applies to the need for more widespread reporting of cyber incidents. Until organizations do so with more regularity, a range of important stakeholders will lack sufficient information to drive toward solutions that can make a meaningful difference in combating cybercrime.
Editor’s note: This article originally appeared in CSO.