Australia has a cybercrime under-reporting problem

22 November 2021 Consultancy.com.au

Threats against corporate targets may be exponentially larger than they appear, writes Murray Mills, Manager Cyber Security at IT consultancy Tecala.

When global IT and cybersecurity association ISACA declared that “under-reporting [of] cybercrime - even when disclosure is legally mandated - appears to be the norm” back in 2019, it rang alarm bells and led to a flurry of headlines. “Half of all survey respondents believe most enterprises underreport cybercrime, even when it is required to do so,” ISACA reported.

To be clear, ISACA wasn’t the first to publicly question the veracity of cybercrime statistics. Practitioners, particularly those involved in incident response and other frontline operations, have either suspected or known with a reasonable amount of certainty for some time that the problems were bigger than the official numbers made out.

Number of breaches reported under the NDB scheme – All sectors

That appears to be changing, however, as governments take a greater interest in reducing cybercrime. Recent numbers out of England and Wales were called out as underdone, and similarly this is now occurring domestically, where the trend was highlighted in data breach statistics compiled by the Office of the Australian Information Commissioner (OAIC).

The OAIC said incidents over a six-month period fell by 16%, partly because organisations didn’t disclose when they experienced ransomware infections. “During this reporting period, a number of entities assessed that a ransomware attack did not constitute an eligible data breach due to a ‘lack of evidence’ that access to or exfiltration of data had occurred,” the OAIC said.

The result of that was that the scale of some of these ransomware threats was artificially muted in the public numbers.

Breaches resulting from malicious or criminal attacks – All sectors

Unpacking the reluctance to report

Historically speaking, there are reasons why attacks either go unreported or under-reported.

The financial weight of a successful cybersecurity breach on the target can be sizable. Regular-released numbers by IBM and the Ponemon Institute show the average cost of a ransomware attack is US$4.62 million (A$6.16 million), which covers “escalation, notification, lost business and response costs” but not any ransom paid.

Factor in the potential brand and customer sentiment damage on top of that and it is clear why there may be reluctance to report. Under-reporting may also be the result of cultural factors: there may be low psychological safety in some organisations, which may result in fear among staff to even acknowledge or report on an incident.

That being said, the reasons to report attacks should outweigh any perceived advantages in concealing them. If the balance favours concealment, then this is something that policymakers and industry must collectively work to resolve.

Cyber incident breakdown – All sectors

Why every attack matters

Security is very much a collective effort, and intelligence sharing within the community of practitioners is common.

Unlike in other sectors where there may be a tendency to guard any and all knowledge as a form of intellectual property, security practitioners aren’t in competition with one another. Instead, we have a common goal to secure our environments as well as a common enemy, and the best way to understand that enemy – the threat they pose and we collectively face – is to have as much information about their activities in front of us as possible, so we can make informed decisions.

It’s disappointing to see any organisation undermine this collective effort by sitting on threat information instead of reporting encounters to the relevant authorities.

It also raises key questions for practitioners:

  • What threats are we not learning about or across because they’re not being reported?
  • What are we not focusing on or underinvesting in from a security perspective because we’re simply not aware of the possible risk?

Given what we know of under-reporting over the years, we are almost certainly missing early warning signs that could benefit all organisations in the battle to secure our organisations, employees, people and assets.

These under-reported or unreported incidents each contain tell-tale signs of malware – snippets of code, termed ‘indicators of compromise’ – which, if shared, may be enough for others to avoid an infection or to detect and act against a live attack. When organisations fail to report these signs so they can be published, everybody loses.