Despite the prevalence of cybercrime, many organizations deliberately choose not to report breaches, according to a newly released report. The report, conducted by IT governance watchdog ISACA for HCL Technologies, found that about half of organizations say cybercrime is under-reported at their organizations, even when reporting is required. Seventy-five percent say that actual cybercrime instances in their organizations are intentionally suppressed.
Frank Downs, ISACA’s director of cybersecurity practices, believes there are two major reasons why cybercrime is so underreported. The first is the complexity of applicable laws.
“Many different municipalities, including federal, local and international, are involved when a cybercrime occurs,” he said. “I have yet to meet a single day-to-day cybersecurity professional who is aware of all of the different laws and policies that impact them and their work. This can create situations where cybercrime is underreported, because they don’t know what may qualify as a crime and who should be informed.”
Downs said fear also plays a factor.
“Many individuals and organizations have seen what happens when big incidents are reported and are very afraid of a similar situation,” he said. That leads many to make what Downs says is the wrong choice by not reporting the incident, hoping it will go unnoticed. “This doesn’t always work out and a lot of companies have made the news after the fact, with Uber being a classic example.”
Companies also are concerned about public perception, especially now that consequences tend to last some time. Moody’s for example, downgraded Equifax due, in part, to a cyberincident. That type of downgrade can impact perception, which impacts finances and the organization’s value.
Further, noted Downs, legal consequences can compound over time, and those who are compromised are being done a disservice. The longer that personally identifiable information (PII) is exposed and victims are unaware that it has been exposed, the greater the chance that they could have some of their information stolen or their identity compromised.
How to Increase Resilience
The report also uncovered other interesting findings. For example, 60% of information security professionals say it is likely or very likely that they will experience a cyberattack this year, and only 34% are highly confident that their organization’s cybersecurity team can respond adequately to those threats.
The report lays out how analyzing key organizational attributes can help organizations increase their resilience to potential incidents in three areas:
- Cyber reporting structure: Many organizations don’t have clear policies established for when an incident occurs, Downs said. These incident response plans (IRPs) help cybersecurity professionals identify when an incident is happening, what qualifies as an incident and who should be informed when something adverse occurs. Without clear guidance in place, an incident can be mismanaged and create greater lasting issues.
- Prevalent attack methods: Phishing, malware and social engineering are the most prevalent attack methods. By ensuring that all users understand this and by providing training, an organization is less likely to fall victim to these types of attacks.
- Team readiness: Many cyberteams are made up of individuals who wear two hats, which means that they spend the majority of their time doing something else within the organization. “However, it is important that they know what their roles are when an incident does occur,” Downs said. “For example, does the help desk now become a security operation center (SOC) portal? That sounds funny, but I’ve seen it.”
