Cybersecurity incidents that are not reported stem not just from wanting to protect a company's image, but also the fact that companies do not have the knowledge or internal policies to properly recognize or deal with cyberattacks, security observer notes.
A Reuters report last month stated that even though the U.S. Securities and Exchange Commission had issued a document outlining how and when companies should report hacking incidents and cybersecurity risks, some major companies known to have significant digital security breaches still "said nothing" about the incident a quarter later.
In addition, a Reuters review also unveiled from more than 2,000 filings since the SEC guidance, some companies including Internet infrastructure companies had new information about hacking incidents. Yet the vast majority of companies only used "new boilerplate language" to describe a general risk and some victims did not even do that, it noted.
Guillaume Lovet, senior manager of Fortinet's FortiGuard Labs Threat Response team, noted that companies will avoid reporting cyberattack incidents because it hurt their reputations and public images "badly", he said.
"In a world where physical assets make up less and less of a company's worth, reputation is worth relatively more," he said, adding that surveys have showed that firms see reputation loss as a higher risk to doing business than production tool disruptions.
However, more often than not, the underlying reason for this is a lack of resources offered or allocated by the company's top management to cybersecurity tools as well as lack of regulations and policies with the companies, Anthony Lim, regional director of SecureAge, noted.
Lim elaborated in an e-mail that many companies lack adequate knowledge, skill or appropriate resources to know that a cyberattack is actually happening, leading to an "advertent non-reporting".
As such, this phenomenon is due more to ignorance, incompetency or inexperience rather than "avoiding a public relations disaster", he said, citing that companies may often think that a problem is smaller than it actually is and under-estimate the ability to fix it and move on. Organizations sometimes know of their own lack of resources, skills or processes and try to cover it up by not reporting, while "scrambling to backpedal and fix it", he added.
Lim further explained that companies often lacked internal policy, contingency plans and ownership, and hence when a cyberattack incident arose, different groups within the organization would start "passing the buck", or pushing the issue around. The victim organization may also not know which the appropriate authority to report the incident to was, or what the process entailed.
Eventually the incident would not be reported, he remarked.
Educate, guarantee privacy, enforce laws
However, companies must start being open about being breached because reporting the incident will give rise to assistance and training from national authorities' to assist the victim organization in improving their IT security assets and policies with regards to business need, Lim advised.
He also explained that cyberattack incidents may also "form patterns" that government security agencies can observe and formulate preventive and educational takeaways, and eventually help prevent other companies and individuals from getting breached.
Similarly, Singapore's Infocomm Development Authority (IDA) had formed the Singapore Computer Emergency Response Team (SingCERT), where the public can report and seek assistance for cybersecurity incidents. IDA and its partners from the public and private sectors also formed the Cyber Security Awareness Alliance which raises awareness and adoption of cyber security measures among individuals and business through educational workshops, seminars and collaterals.
"We believe that education and awareness play an important role in addressing the issue of unreported security breaches," an IDA spokesperson said.
Lim also noted governments can also encourage more reporting by guaranteeing privacy and amnesty, and that the only reason for reporting is for purposes of statistics, trending, training, planning defense and improving advisory services. This is the number one reason why organizations do not report cyber incidents, he remarked.
Offering free help to breached companies "would not hurt", Lovet added, however, he admitted that the cost of reputation loss mentioned earlier may still not make it economically worthwhile for companies to report incidents.
It would be more effective if there were laws that forced them to make such reports with consequent financial penalties for not doing so, he noted.