If your business was hit by a cyber-attack, would you report it to your CEO or Board of Directors? Would you report it to law enforcement? According to the Office of National Statistics, there were an estimated two million cybercrimes in the 12 months running up to March 2016.
However, recent research from SentinelOne – revealing 48% of 500 organizations worldwide had suffered a ransomware attack in the past 12 months – found that only 54% of respondents had reported the incident(s) to law enforcement. Imagine what the cybercrime figures would look like if the remaining 46% had reported their attacks.
The question is, why aren’t all organizations reporting cybercrime? What is the impact of this in terms of how we can tackle these threats?
A fear of coming forward
According to the survey results, only 61% of organizations globally reported a ransomware attack to the CEO or Board. It may be that IT teams are embarrassed to report the attack for fear of how it could reflect on their ability to prevent it in the first place, and are concerned for their jobs as a result. Consequently, IT teams want to rectify the problem without having to inform the C-suite.
The disconnect between IT activities and corporate risk models is a historical problem that is yet to be solved, but businesses need to see cybercrime and security as an ongoing challenge, requiring continuous investment and management and, more crucially, board level support.
No business wants to be seen as weak or vulnerable, and it’s this fear of damage to a reputation which is holding organizations back from reporting cybercrime to law enforcement officials; according to Cyber Security: Underpinning the Digital Economy, a report by the Institute of Directors and Barclays bank, companies are keeping quiet about being the victim of a cyberattack, even if their operations were badly affected by such an incident. It may also be that organizations don’t understand what the reporting of cybercrime entails and what law enforcement will require of them.
The dangers of unreported cybercrime
Cybercrime was only included in the Office of National Statistics’ annual crime survey for England and Wales for the first time in 2015. Scarily, the figures show an estimated 2.46 million cyber incidents and 2.11 million cybercrime victims in that year alone. However, only 716,346 (approx.) attacks were reported to Action Fraud, the UK’s national fraud and cybercrime reporting center.
The National Crime Agency (NCA) estimates that the cost of cybercrime to the UK economy is billions of pounds per year, and the under-reporting of it is a substantial problem. If businesses aren’t reporting incidents of cybercrime, how will law enforcement, the NCA and other dedicated anti-crime bodies know how and where to allocate the resources to combat it?
Improved reporting and shared intelligence would also allow for further investigation into the serious organized crime gangs responsible – whether directly or indirectly – for the bulk of cybercrime.
Advice and assistance
There is a plethora of advice available when it comes to ransomware attacks, how organizations can protect themselves and how they should react if attacked. The problem is that many businesses lack even basic cybersecurity hygiene such as regular system back-ups and the ability to roll back data. These are the businesses most at risk and for whom a ransomware attack would be an irreparable catastrophe.
Law enforcement ranks ransomware and cybercrime amongst the top two threats to the UK; Europol likewise. This is especially true in this new era of Ransomware-as-a-Service where even the most technically illiterate can acquire a ‘ransomware kit’. The message is clear though – organizations should not pay the ransom. It only serves to feed criminal business models and is counter-productive in the wider cyber arms race.
We need to have an accurate picture of the scale of the problem if we want to effectively tackle this ransomware epidemic. Raising awareness of the current reporting mechanisms for cybercrime is essential in educating and encouraging businesses and individuals to report any attacks, and will result in an increase in allocated tools and resources for ransomware victims.