Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Companies Fall Short on Mandatory Reporting of Cybercrimes

Understaffed and under fire, companies fail to report cybercrimes even when they are legally obligated to notify authorities, results of a new survey show.

Nearly two-thirds of organizations continue to fail to report cybercrimes, even when the reporting may be required to comply with regulations or the law, according to a report released today.

In its "State of Cybersecurity 2020" report, education and certification organization ISACA found 62% of 2,051 surveyed cybersecurity professionals think their companies under-reported cybercrimes and, in two-thirds of cases, think the reporting of cybercrimes is mandated by regulation or law. Only 16% of companies accurately report cybercrimes, respondents said. 

The high failure rate for reporting may be a sign that companies are not disclosing breaches when they should, but is more likely speculation that a vulnerable asset has the potential to be breached, says Ed Moyle, a founding partner for consultancy Security Curve, which wrote the report for ISACA.

"The cynical answer is that there are probably some companies that are not reporting when they should," he says. "We know that it happens — Uber did it — but given this data, I'm a bit skeptical. It boils down to the fact that we all know security's pretty porous out there for a lot of organizations."

The failure to report cybercrimes is troubling, as under-reporting can hinder an informed response. The 62% rate for 2020 is down slightly from 2019, when 66% of respondents said they believed their companies had not reported a cybercrime when they should have. 

Failing to report cybercrimes when notification is mandatory suggests companies may be circumventing regulations designed to protect consumer data. The report, for example, found 70% of respondents believe their companies' cybersecurity strategies is "aligned with organizational objective," and 53% think the company's board has adequately prioritized cybersecurity.

"This implies a degree of coordination between non-security stakeholders and the security function," the report states. "The fact that the perception of under-reporting continues given strong coordination with other groups and implicit oversight implies a systemic — perhaps in some cases even purposeful — failure to report."

The report also shows cyberattacks continue to increase: About a third of companies — 32% — say they experienced more attacks, a quarter are seeing about the same number of attacks, and only 6% are seeing fewer attacks. However, compared with 2019, the rise in attacks has slowed, with 56% of respondents seeing the same or more attacks, compared with 65% last year. (A significant portion of respondents refused to answer.)

Part of the trend may be due to the general movement of business to the cloud, Moyle says.

"The absolute attack rate may be still where it has always been, but the visibility has declined," he says. "A big part of that is the lack of visibility into the cloud. They are pushing IT outside of their infrastructure and no longer have the same visibility."

Companies do not have much insight into the attackers. Only a third of respondents can classify their attackers into one or more categories, with cybercriminals the most common attacker (22%) and hackers coming in second (19%). Insiders account for the next two most common attackers, with 11% of respondents identifying malicious insiders as an attacker and 10% pointing the finger at nonmalicious insiders.

The survey also shows companies often use IT workers to conduct or support a variety of security functions. In 66% of organizations, IT operations teams are responsible for incident response, while 63% are responsible for maintaining and implementing security tools, the survey reveals. About half of all IT operations teams also have to conduct vulnerability assessments.

The sharing of responsibility may indicate a lack of adequate staffing for security, but it could also show that companies are spreading out security responsibilities as part of a move to DevOps or DevSecOps, the ISACA report points out.

"Long term, it could be a good thing," Moyle says. "Monitoring, for example, can introduce a talent drain because it is boring, so mixing it up is good and cross-training is good."

A relatively small number of organizations appear to use artificial intelligence (AI) in their security operations. The survey finds only 30% of respondents knowingly use AI, while another 28% either do not know or preferred not to answer. Only 43% of respondent are certain their companies do not use AI for security.

One interesting result, however, is that the use of machine learning and AI seems highest in groups that saw more attacks or fewer attacks but not "the same number of attacks," suggesting the technology may give better certainty to firms.

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27605
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27606
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27607
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
CVE-2020-27608
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27609
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.