Cyber crime incidents are widely under-reported, study finds
5 June 2019
As many as 50 percent of cyber security professionals believe organisations are widely under-reporting incidents of cyber crime even if they have an obligation to do so as per the law of the land, ISACA’s State of Cybersecurity 2019 report has found.
Last month, a Freedom of Information request by Redscan found that a vast number of organisations either did not report incidents of cyber crime such as data breaches to the ICO or did not follow mandated data protection rules such as reporting data breaches within timelines, assessing how a breach occurred, or identifying the impact of a breach properly.
Cyber crime incidents are widely under-reported
While a little over 20% of UK organisations failed to report a breach incident date to the ICO, 25% of them failed to report a breach discovery date, and given the time taken by them to identify and report incidents, less than a quarter of them would be compliant with current GDPR requirements, which demand organisations report a breach within 72 hours of discovery.
“The fact that so many businesses failed to provide critical details in their initial reports to the ICO says a lot about their ability to pinpoint when attacks occurred and promptly investigate the impact of compromises.
“Without the appropriate controls and procedures in place, identifying a breach can be like finding a needle in a haystack. Attacks are getting more and more sophisticated and, in many cases, companies don’t even know they’ve been hit,” noted Mark Nicholls, Redscan director of cybersecurity.
ISACA’s latest State of Cybersecurity 2019 report, that gathered responses from over 1,500 cyber security professionals, noted that as many as half of such professionals are sure of the fact that organisations are widely-under-reporting incidents of cyber crime.
“Underreporting cyber crime— even when disclosure is legally mandated—appears to be the norm, which is a significant concern. Half of all survey respondents believe most enterprises underreport cybercrime, even when it is required to do so,” said Greg Touhill, Brigadier General (ret), ISACA Board Director and the first US Federal CISO.
Why do organisations under-report cyber crime incidents?
There are many reasons why a large number of cyber crime incidents go unreported. While the fear of reputational loss and the fear of huge monetary fines are obvious factors, many organisations are not reporting such incidents either because they have been unable to detect a breach or, because of lack of visibility over the data they hold, are unable to quantify how much data has been lost.
Information obtained by Redscan via a Freedom of Information request also revealed that sometimes organisations take so long to identify cyber crime incidents that once they are identified, it becomes difficult for authorities to effectively investigate such incidents.
According to Redscan, in comparison to businesses at other sectors, financial services and legal firms took lesser time to identify data breaches and report them to the ICO which could be due to a higher awareness of data protection laws and the highly sensitive nature of data processed by such firms. While financial services took 16 days on average to report breaches, legal firms took twenty days to do so.
At the same time, compared to other businesses which took 138 days on average to identify a breach, financial services took just 37 days and legal firms took 25 days, even though such timelines may also allow hackers to get away without suffering any consequences for their actions.