[BreachExchange] Businesses are still scared of reporting cyberattacks to the police

Fri Mar 4 15:46:03 EST 2016

http://www.zdnet.com/article/businesses-are-still-scared-of-reporting-cyberattacks-to-the-police/

Under a third of cyberattacks against businesses are reported to the
police, suggesting that organisations are underestimating the threat posed
by hackers and cybercrime, a new study has warned.

According to Cyber Security: Underpinning the Digital Economy, a report by
the Institute of Directors and Barclays bank, companies are keeping quiet
about being the victim of a cyberattack, even if their operations were
badly affected by such an incident -- as figures suggest was the case for
half of respondents.

The research suggests that only 28 percent of cyberattacks against
businesses were reported to the police, despite many police forces now
having dedicated cybercrime divisions.

While it's likely that fear of damage to reputation is keeping many
businesses from even alerting the authorities to incidents, the Institute
of Directors argues that every crime "as a minimum" should be reported to
Action Fraud Aware, the UK's national reporting centre for fraud and
internet crime

However, businesses aren't even undertaking this minimal reporting of
cybercrime, the report found, because 68 percent of respondents suggested
they weren't even aware of the organisation.

That's just one example of a disconnect between how cybersecurity is
described as a priority for many businesses, but only a fraction are
actually taking action in order to properly react to and protect themselves
from such an incident.

Indeed, the report finds that whilst nine in ten business leaders said that
cybersecurity was important, only around half had a formal strategy in
place to protect themselves and just a fifth held insurance against an
attack.

"Cybercrime is one of the biggest business challenges of our generation and
companies need to get real about the financial and reputational damage it
can inflict. The spate of recent high-profile attacks has spooked employers
of all sizes and it is vital to turn this awareness into action," says
Professor Richard Benham, professor in residence at the National Cyber
Skills Centre and author of the report.

Professor Benham suggests that organisations must act and take cybercrime
as seriously as they would a real, physical theft in the real world; "No
shop-owner would think twice about phoning the police if they were broken
into, yet for some reason, businesses don't seem to think a cyber breach
warrants the same response," he says.

The answer that's often suggested, Professor Benham says, is that
cybersecurity must become a companywide issue, rather than just something
IT is expected to take total responsibility for.

"Our report shows that cyber must stop being treated as the domain of the
IT department and should be a boardroom priority. Businesses need to
develop a cybersecurity policy, educate their staff, review supplier
contracts, and think about cyber insurance."

The report also demonstrates confusion about data storage, another factor
which is potentially putting businesses at risk of data theft.

While 59 percent of organisations say they outsource their data storage, 43
percent of those have no idea where that data is physically stored. That in
itself, says the report, creates risks as the data might fall under unknown
requirements about disclosure.

Cloud companies, the report says, may seem like they offer greater
protection for sensitive data which companies want to keep safe, but
ultimately cloud is just someone else's server and "faces the same risks of
being hacked, neglected or compromised by staff as other businesses".

Ultimately, the report concludes, businesses must work more closely with
the authorities in order to reduce the risks of cyberattacks.

"Cybersecurity is a critically important national infrastructure
requirement and the role of GCHQ, working with and protecting businesses
from international threats, will increase," it says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160304/2167cd8f/attachment.html>