Transparency And Cyber Attacks

It is impossible to estimate the proportion of data security incidents that occur but are not reported. We do have some idea of the total number of incidents. The UK 2023 cyber security breaches survey is based on responses from 2,263 UK businesses. The conclusions indicate that about 32% of businesses and 24% of charities had experienced some sort of cyber security incident in 2022. The estimates are based on only a proportion of the total UK business sector. The majority of responses were through questionnaires and these did not ask if an incident had been found but not reported. Only 44 cases were followed up to harvest qualitative data. Even if the question had been asked would anyone admit to having broken GDPR legislation?

Reasons not to report could include:

  • Procedures and people are not in place to sort it all out.
  • Avoiding unfavourable publicity.
  • Avoiding the costs of secure data protection.
  • Payment of a ransom being cheaper than sorting out the problem.

Kindus have discussed how some criminals encourage victims of attacks not to report the incident as any ransom could be considerably less than the related fine.  In reality fines for GDPR breaches in the UK are relatively rare but can still be a consequence of poor data security practice.  The stance from the NCSC in the UK is that regardless of any potential fines victims of cyber crime should report all breaches.  Organisations not only have a legal duty to report data breaches but they are encouraging further attacks through a failure to do so.

The NCSC puts forward 6 justifications for reporting suspect data loss.

  1. Security professionals use details of previous attacks to build a strategy combatting future incidents. Without disclosure future similar attacks will be equally likely to succeed.
  2. Reporting an attack will not make the details go public. The NCSC and similar bodies will respect the confidentiality of victims.
  3. Paying a ransom will not guarantee that the problem will go away. Attackers feel no obligation to keep their word and restore compromised systems.  They now know that the target will pay and are more likely to attack again.
  4. Restoring data from backups may not completely fix the issue. Although a system may be up and running again the attacker may still have copies of confidential data that they can threaten to leak.
  5. There may be a suspicion of intrusion or compromise but not of firm data loss. If data has been compromised it may not be revealed immediately but could still come into the open at a future date.
  6. Although fines resulting in reporting incidents can be high in many cases there is no fine or it is less the cost of paying a ransom.

A February 2023 report by CISA (the USA’s Cybersecurity and Infrastructure Security Agency) Director Jen Easterly alleges that the problem lies with technology and culture.  For technology systems should only be in place that are secure and robust.  Unfortunately the nature of computing and the numerous variables involved in interacting with them makes this a hard ask.  The culture angle is more achievable.  Responsibility for handling cyber incidents should not rest solely on the ‘IT People’.  The ultimate responsibility should be with the CEO and board, members should be expected to understand enough about cyber risks to provide an effective oversight.

The UK cyber security breaches survey indicates that this message is getting through; 30% of businesses and 31% charities surveyed having board members or trustees explicitly responsible for cyber security as part of their job role. The qualitative follow-on interviews identified some board members having a lack of cyber security knowledge, training and time. It also highlighted the importance of people in cyber roles being able to write persuasive business cases for cyber security spending, especially when they report directly to finance leads.

More from Security

13/05/2024

eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post

08/05/2024

Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post

23/04/2024

UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post

25/03/2024

Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories