Transparency And Cyber Attacks

It is impossible to estimate the proportion of data security incidents that occur but are not reported. We do have some idea of the total number of incidents. The UK 2023 cyber security breaches survey is based on responses from 2,263 UK businesses. The conclusions indicate that about 32% of businesses and 24% of charities had experienced some sort of cyber security incident in 2022. The estimates are based on only a proportion of the total UK business sector. The majority of responses were through questionnaires and these did not ask if an incident had been found but not reported. Only 44 cases were followed up to harvest qualitative data. Even if the question had been asked would anyone admit to having broken GDPR legislation?

Reasons not to report could include:

  • Procedures and people are not in place to sort it all out.
  • Avoiding unfavourable publicity.
  • Avoiding the costs of secure data protection.
  • Payment of a ransom being cheaper than sorting out the problem.

Kindus have discussed how some criminals encourage victims of attacks not to report the incident as any ransom could be considerably less than the related fine.  In reality fines for GDPR breaches in the UK are relatively rare but can still be a consequence of poor data security practice.  The stance from the NCSC in the UK is that regardless of any potential fines victims of cyber crime should report all breaches.  Organisations not only have a legal duty to report data breaches but they are encouraging further attacks through a failure to do so.

The NCSC puts forward 6 justifications for reporting suspect data loss.

  1. Security professionals use details of previous attacks to build a strategy combatting future incidents. Without disclosure future similar attacks will be equally likely to succeed.
  2. Reporting an attack will not make the details go public. The NCSC and similar bodies will respect the confidentiality of victims.
  3. Paying a ransom will not guarantee that the problem will go away. Attackers feel no obligation to keep their word and restore compromised systems.  They now know that the target will pay and are more likely to attack again.
  4. Restoring data from backups may not completely fix the issue. Although a system may be up and running again the attacker may still have copies of confidential data that they can threaten to leak.
  5. There may be a suspicion of intrusion or compromise but not of firm data loss. If data has been compromised it may not be revealed immediately but could still come into the open at a future date.
  6. Although fines resulting in reporting incidents can be high in many cases there is no fine or it is less the cost of paying a ransom.

A February 2023 report by CISA (the USA’s Cybersecurity and Infrastructure Security Agency) Director Jen Easterly alleges that the problem lies with technology and culture.  For technology systems should only be in place that are secure and robust.  Unfortunately the nature of computing and the numerous variables involved in interacting with them makes this a hard ask.  The culture angle is more achievable.  Responsibility for handling cyber incidents should not rest solely on the ‘IT People’.  The ultimate responsibility should be with the CEO and board, members should be expected to understand enough about cyber risks to provide an effective oversight.

The UK cyber security breaches survey indicates that this message is getting through; 30% of businesses and 31% charities surveyed having board members or trustees explicitly responsible for cyber security as part of their job role. The qualitative follow-on interviews identified some board members having a lack of cyber security knowledge, training and time. It also highlighted the importance of people in cyber roles being able to write persuasive business cases for cyber security spending, especially when they report directly to finance leads.

More from Security

03/09/2024

Google and Facebook Single Sign On (SSO)

Single Sign On (SSO) options are commonly seen through providers such as Google, Facebook and to a lesser extent Apple.  There are also less …

Read post

13/08/2024

Ransomware in Healthcare

The ThreatLabz 2024 Ransomware Report highlights the relative susceptibility of the healthcare industry to ransomware attacks.  312 attacks on the Healthcare industry were reported …

Read post

29/07/2024

Bad Bots

Kindus has discussed the role of bots on the Internet and how webmasters can use ‘robots.txt’ to control them.  Unfortunately many bots do not …

Read post

22/07/2024

Lessons from the Cloudstrike Outage

On July 19, 2024 at 04:09 UTC, CrowdStrike released an update for ‘Falcon Sensor 7.11’ or above to Windows systems.  This caused a system …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories