The City of London Police have reported this week that banks are covering up the true extent of cybercrime, to the extent that only one in five crimes are actually reported.
Many who have been working in cybersecurity in Europe will barely raise an eyebrow at this stat. Secrecy surrounding cyber security breaches extends far beyond the banking sector, with organisations of all sectors preferring to keep serious cybersecurity breaches under wraps wherever possible.
More and more examples of security breaches are hitting the headlines, and often they are US-based examples such as Target, where customer information is leaked to an extent that the organisation has little choice but to come clean. Last week we saw a fairly rare example of a major breach being reported in Europe, in the case of TV5Monde, the French television channel which was hacked.
Of the cases reported either side of the pond, I am willing to bet that the new stories barely scratch the surface of problem. Where customer notifications can be avoided, organisations often prefer to take the hit privately and stay out of the headlines.
We in the vendor community find companies are often reluctant to speak even about the good news stories we see. Even where enterprises are seeing great progress and would wish to provide leadership to their peers about their initiatives, a shroud of secrecy still prevails. No one wishes to make themselves a target by boasting about their top-notch cyber security posture, I guess?
Adrian Leppard, commissioner of the City of London Police reported that out of the one in five cybercrimes reported, only a further one in five provoke a serious response from law enforcement agencies. Therein lies the problem?
Police departments are becoming a lot more cyber-savvy, however the massive barriers that stand in the way of identifying perpetrators and then successfully prosecuting no doubt put enterprises off reporting the crimes in the first place.
There is also a great deal of stigma involved in being a victim of a cyberbreach. On occasion, the errors which lead to some of the public examples of major breaches can seem frustratingly basic to the outsider. Enterprises as a whole must do a better job to take a holistic approach to security which covers network security, the application layer and their supply chain. However, cyber is the only crime where the victim is blamed. No wonder it’s underreported.
Reforms to the EU Data Protection laws (if ever finalised!) may be a watershed moment whereby European organisations have to come forward more regularly, due to the mandatory breach notification requirements. Similar legislation is being discussed in the USA at the moment. It seems only reasonable that a customer gets a heads-up when their sensitive information is compromised.
However, there still remains a wide gamut of cybercrime that is likely to stay out of the eyes and ears of police, journalists and customers, alike. Personal information and customer credit card data are not the only targets for cybercriminals. Where enterprise intellectual property or financial information, for example, is breached, chances are organisations will continue to keep that very much under wraps.
Learn about crafting a breach response plan with Forrester's guide, click here to download.