Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Companies Fall Short on Mandatory Reporting of Cybercrimes

Understaffed and under fire, companies fail to report cybercrimes even when they are legally obligated to notify authorities, results of a new survey show.

Nearly two-thirds of organizations continue to fail to report cybercrimes, even when the reporting may be required to comply with regulations or the law, according to a report released today.

In its "State of Cybersecurity 2020" report, education and certification organization ISACA found 62% of 2,051 surveyed cybersecurity professionals think their companies under-reported cybercrimes and, in two-thirds of cases, think the reporting of cybercrimes is mandated by regulation or law. Only 16% of companies accurately report cybercrimes, respondents said. 

The high failure rate for reporting may be a sign that companies are not disclosing breaches when they should, but is more likely speculation that a vulnerable asset has the potential to be breached, says Ed Moyle, a founding partner for consultancy Security Curve, which wrote the report for ISACA.

"The cynical answer is that there are probably some companies that are not reporting when they should," he says. "We know that it happens — Uber did it — but given this data, I'm a bit skeptical. It boils down to the fact that we all know security's pretty porous out there for a lot of organizations."

The failure to report cybercrimes is troubling, as under-reporting can hinder an informed response. The 62% rate for 2020 is down slightly from 2019, when 66% of respondents said they believed their companies had not reported a cybercrime when they should have. 

Failing to report cybercrimes when notification is mandatory suggests companies may be circumventing regulations designed to protect consumer data. The report, for example, found 70% of respondents believe their companies' cybersecurity strategies is "aligned with organizational objective," and 53% think the company's board has adequately prioritized cybersecurity.

"This implies a degree of coordination between non-security stakeholders and the security function," the report states. "The fact that the perception of under-reporting continues given strong coordination with other groups and implicit oversight implies a systemic — perhaps in some cases even purposeful — failure to report."

The report also shows cyberattacks continue to increase: About a third of companies — 32% — say they experienced more attacks, a quarter are seeing about the same number of attacks, and only 6% are seeing fewer attacks. However, compared with 2019, the rise in attacks has slowed, with 56% of respondents seeing the same or more attacks, compared with 65% last year. (A significant portion of respondents refused to answer.)

Part of the trend may be due to the general movement of business to the cloud, Moyle says.

"The absolute attack rate may be still where it has always been, but the visibility has declined," he says. "A big part of that is the lack of visibility into the cloud. They are pushing IT outside of their infrastructure and no longer have the same visibility."

Companies do not have much insight into the attackers. Only a third of respondents can classify their attackers into one or more categories, with cybercriminals the most common attacker (22%) and hackers coming in second (19%). Insiders account for the next two most common attackers, with 11% of respondents identifying malicious insiders as an attacker and 10% pointing the finger at nonmalicious insiders.

The survey also shows companies often use IT workers to conduct or support a variety of security functions. In 66% of organizations, IT operations teams are responsible for incident response, while 63% are responsible for maintaining and implementing security tools, the survey reveals. About half of all IT operations teams also have to conduct vulnerability assessments.

The sharing of responsibility may indicate a lack of adequate staffing for security, but it could also show that companies are spreading out security responsibilities as part of a move to DevOps or DevSecOps, the ISACA report points out.

"Long term, it could be a good thing," Moyle says. "Monitoring, for example, can introduce a talent drain because it is boring, so mixing it up is good and cross-training is good."

A relatively small number of organizations appear to use artificial intelligence (AI) in their security operations. The survey finds only 30% of respondents knowingly use AI, while another 28% either do not know or preferred not to answer. Only 43% of respondent are certain their companies do not use AI for security.

One interesting result, however, is that the use of machine learning and AI seems highest in groups that saw more attacks or fewer attacks but not "the same number of attacks," suggesting the technology may give better certainty to firms.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.