Understaffed and under fire, companies fail to report cybercrimes even when they are legally obligated to notify authorities, results of a new survey show.
Nearly two-thirds of organizations continue to fail to report cybercrimes, even when the reporting may be required to comply with regulations or the law, according to a report released today.
In its "State of Cybersecurity 2020" report, education and certification organization ISACA found 62% of 2,051 surveyed cybersecurity professionals think their companies under-reported cybercrimes and, in two-thirds of cases, think the reporting of cybercrimes is mandated by regulation or law. Only 16% of companies accurately report cybercrimes, respondents said.
The high failure rate for reporting may be a sign that companies are not disclosing breaches when they should, but is more likely speculation that a vulnerable asset has the potential to be breached, says Ed Moyle, a founding partner for consultancy Security Curve, which wrote the report for ISACA.
"The cynical answer is that there are probably some companies that are not reporting when they should," he says. "We know that it happens — Uber did it — but given this data, I'm a bit skeptical. It boils down to the fact that we all know security's pretty porous out there for a lot of organizations."
The failure to report cybercrimes is troubling, as under-reporting can hinder an informed response. The 62% rate for 2020 is down slightly from 2019, when 66% of respondents said they believed their companies had not reported a cybercrime when they should have.
Failing to report cybercrimes when notification is mandatory suggests companies may be circumventing regulations designed to protect consumer data. The report, for example, found 70% of respondents believe their companies' cybersecurity strategies is "aligned with organizational objective," and 53% think the company's board has adequately prioritized cybersecurity.
"This implies a degree of coordination between non-security stakeholders and the security function," the report states. "The fact that the perception of under-reporting continues given strong coordination with other groups and implicit oversight implies a systemic — perhaps in some cases even purposeful — failure to report."
The report also shows cyberattacks continue to increase: About a third of companies — 32% — say they experienced more attacks, a quarter are seeing about the same number of attacks, and only 6% are seeing fewer attacks. However, compared with 2019, the rise in attacks has slowed, with 56% of respondents seeing the same or more attacks, compared with 65% last year. (A significant portion of respondents refused to answer.)
Part of the trend may be due to the general movement of business to the cloud, Moyle says.
"The absolute attack rate may be still where it has always been, but the visibility has declined," he says. "A big part of that is the lack of visibility into the cloud. They are pushing IT outside of their infrastructure and no longer have the same visibility."
Companies do not have much insight into the attackers. Only a third of respondents can classify their attackers into one or more categories, with cybercriminals the most common attacker (22%) and hackers coming in second (19%). Insiders account for the next two most common attackers, with 11% of respondents identifying malicious insiders as an attacker and 10% pointing the finger at nonmalicious insiders.
The survey also shows companies often use IT workers to conduct or support a variety of security functions. In 66% of organizations, IT operations teams are responsible for incident response, while 63% are responsible for maintaining and implementing security tools, the survey reveals. About half of all IT operations teams also have to conduct vulnerability assessments.
The sharing of responsibility may indicate a lack of adequate staffing for security, but it could also show that companies are spreading out security responsibilities as part of a move to DevOps or DevSecOps, the ISACA report points out.
"Long term, it could be a good thing," Moyle says. "Monitoring, for example, can introduce a talent drain because it is boring, so mixing it up is good and cross-training is good."
A relatively small number of organizations appear to use artificial intelligence (AI) in their security operations. The survey finds only 30% of respondents knowingly use AI, while another 28% either do not know or preferred not to answer. Only 43% of respondent are certain their companies do not use AI for security.
One interesting result, however, is that the use of machine learning and AI seems highest in groups that saw more attacks or fewer attacks but not "the same number of attacks," suggesting the technology may give better certainty to firms.