For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.
IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps to explain the financial impact when law enforcement is involved in the response. Specifically, the CODB report, which studied over 600 organizations, found that when law enforcement assisted the victim during a ransomware attack the cost of a breach lowered by an average of $1 million, excluding the cost of any ransom paid. That is an increase compared to the 2023 CODB Report when the difference was closer to $470,000.
But law enforcement involvement is not ubiquitous. For example, when an organization faced a ransomware attack only 52% of those surveyed involved law enforcement, but the majority of those (63%) also did not end up paying the ransom. Moreover, the CODB Report found law enforcement support helped reduce the time to identify and contain a breach from 297 days to 281.
So why are nearly half of victims not reaching out to law enforcement? Let us look at a few possibilities.
Read the full report
Awareness, embarrassment, secrecy and trust
Outside of cyberspace, a 911 call to local law enforcement is a pretty reasonable first call when falling victim to a crime. But there is no “911” to dial for a cyberattack, and certainly no menu options for ransomware, data exfiltration or destructive attacks. Even experienced incident responders will likely share experiences where opening questions to the victim are, “Have you contacted law enforcement?” or “Have you reported this IC3?” The first answer is often “no” or “not yet,” while the second is “I see what?” Therefore, the awareness issue is still prevalent.
We must also consider emotional responses, such as embarrassment. Think of the employee who may be thinking, “Was I responsible for this by clicking a wrong link?” Embarrassment leads to reluctance, therefore both organizations and law enforcement must message better to their people and partners that reaching out for help is okay. Moreover, add in another psychological factor: additional threats made by the actor demanding victims not contact law enforcement.
There is the secrecy aspect, especially from a business impact perspective. Decision makers may not yet know the business impact of law enforcement involvement. Will the news go public? Will competitors find out? What privacy assurances are available? All of these are reasonable questions, and likely to be important with the regulatory requirements of reporting cyber crimes.
Trust ties all these factors together, ranging from benign “Can I trust law enforcement?” to explicit “We do not trust law enforcement.” These gaps must be bridged.
Building relationships and the future of reporting
Managing a crisis requires competence, but also trust, so exchange business cards before the incident. The issues identified can be proactively addressed by reaching out to law enforcement partners when you do not need them. Learn the capabilities of your local agencies; request meet-and-greets with those in your state and federal regions.
Remember, there is a little “Customer Service 101” here. When the incident hits, what do you want: the general helpline, or somebody you know and have a bond with?
Moreover, the future of cyber crime reporting is becoming more of a public matter, such as SEC reporting rules. Having relationships in place will be beneficial. They can buy time and serve as extra hands.
The case for involving law enforcement from a cost-savings perspective appears pretty transparent. Therefore, it is more of a cultural issue. Make friends, build two-way trust and establish protocols. These can go a long way to reduce the pain and cost of an attack.
Senior Director, Educator and Author