Nine out of 10 reported cyber incidents never reach court
Whether it is because of legal risks, reputational damage or concerns over business continuity, reporting cyber incidents is rare and pursuing them legally is even more so
Of the more than 1.2 million cyber incidents in the UK every year, 90 per cent of those reported to government do not go to court. Businesses have a variety of reasons for not telling the authorities when they have been the victim of an attack, but many are based on flawed assumptions.
"There are a number of reasons why some victims don't want to support a criminal investigation,", said Ben Russell, head of threat response at the National Crime Agency during Computing's Enterprise & Risk Management Live event today.
Legal risks like information sharing and data privacy come high on the list. Russell said that the NCA has worked with "a number of firms" whose lawyers advise them that they are not allowed to share any information. However, he added, "I don't think I've ever encountered a single incident where it wasn't [legally] possible to share that information with us."
There may be situations where it is a risk to share information; or companies may elect to do so on an intelligence-only basis, where the information is guaranteed to not be part of a criminal investigation. These can be managed in consultation with the NCA.
Another prominent fear is that of reputational damage, especially from firms that provide a public service. However, often the criticism and damage will be worse if they wait, said Russell, citing the 2016 Uber hack that the firm took almost a year to disclose. He added that the legal public disclosure usually comes long after the event has occurred: the 2015 TalkTalk hack took two years to reach courts.
Many victims are concerned about business continuity. "We often hear, ‘No, we don't want a police investigation because you're going to have to come round and seize our servers and pull things out of the wall to take it to your lab. We've got jobs to do and we're trying to make money'," but this is an erroneous assumption.
"Our investigations will rarely affect business operations. We don't come in and close things down, we don't come in and stop things working; we certainly don't come in and take things away - we don't have anywhere to put them."
Next is the regulatory framework that many companies work within. "If you have to report to the Information Commissioner, why report to somebody else when you don't necessarily have to?" is the most common argument in support of this point.
Russell emphasised that the NCA is not a regulatory body, and that the organisation is under no obligation to share information with regulators. "It is not our responsibility to carry out the regulatory duties of business," he said.
Finally, the reasons that the NCA hears most often are ‘unclear why' and ‘unclear how'. ‘Why should I report - what are the business benefits?' and ‘How do I report?'.
The NCA's expertise should be its own reason to report a breach, Russell feels. "We're doing this work day-in, day-out. We know what a good incident response looks like and we know what bad incident response looks like… Our experience is in the event of a breach, the more people there to help and advise the better."
As for how to report an incident, companies can email Action Fraud - or, if the crime is in progress, phone them on 0300 124 2040.
How well do you know your software supply chain, and what can you do to ensure that it is clean, secure and safe? Register for the next Computing dining club on the 29th November to discuss this issue with other CIOs, CISOs and IT leaders with the same concerns to discuss how they are tackling this growing problem. Attendance is free.