October 25, 2023 By Sue Poremba 4 min read

If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach?

A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was so difficult to catch cyber criminals, and the reputational and financial damage caused by reporting a cyber incident had many business leaders wondering if contacting local law enforcement and going public with the data breach could do any good. Certainly, no one would have even considered contacting a federal agency like the FBI.

Now, the business world is a lot more savvy about the risks and losses around cyber crime, and the methods used by threat actors have become more sophisticated. Ransomware attacks can weaken an organization, and data breaches have widespread consequences beyond corporate losses. Luckily, federal agencies are better equipped to handle cyber crime and they want citizens and organizations to report malicious activity.

“We recognize that many organizations may be reluctant to report incidents, but it’s vital that we shift to a culture where reporting becomes the norm and we provide victims with the support they need to respond and recover,” Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), told Cybersecurity Dive.

When you report a ransomware attack or data breach, federal agencies can then share the information across their networks to help prevent similar events from happening again. So why are some organizations still hesitating to report?

Costs of not reporting

Data breaches are costly. According to IBM’s Cost of a Data Breach Report 2023, the average cost of a breach is $4.45 million, an increase of 15% over the past three years. However, the cost difference between those who report the incident to law enforcement and those who don’t is vast.

“The average cost of a ransomware breach was $5.11 million when law enforcement wasn’t involved and $4.64 million when law enforcement was involved, for a difference of 9.6% or $470,000,” the report found.

Despite the cost differential, organizations still hesitate to report a data breach to law enforcement. The 37% of ransomware victims who didn’t involve law enforcement experienced both higher costs and a longer breach cycle. When law enforcement was brought in, the total time to identify and contain a breach averaged 273 days, compared to the 306 days it took those who didn’t report the attack. That’s an additional month of access threat actors have inside the network.

“Breaches are so expensive because they hit an organization in more than one area,” explained Security Scorecard. The costs surrounding downtime, paying the ransom and/or recovering the data, reputational loss, fines due to data privacy laws and mitigation processes quickly start to add up. The longer it takes to find and remediate the breach, means more data may be compromised.

For many companies, the default reaction to ransomware is to pay the ransom, get the data back and move on. However, you won’t find a lot of savings in paying the ransom. According to the report, paying the ransom will cut about $110,000 off the average cost of a data breach, but that doesn’t include the ransomware payment. So overall, you’ll pay more.

Read the full report

Is resistance to law enforcement changing?

The relationship between enterprise and law enforcement agencies when it comes to cybersecurity has been weak. Organizations typically fight against any laws that result in new regulations and compliances. This makes it unlikely that the U.S. will ever have a GDPR-type regulation or any sweeping cybersecurity bills. Without regulations in place to require reporting, organizations may find it against their best interest to report a data breach, ransomware or other cyber incident. The time commitment, the lack of prosecution of threat actors and the poor media coverage with residual reputational damage are all reasons why organizations don’t bother to report data breaches.

However, law enforcement agencies have also dropped the ball in how they handle cyber incidents. For example, after the Kaseya ransomware attack, similar to the SolarWinds security breakdown by compromising software used by thousands of customers, the FBI didn’t release the decryption key for weeks, causing a loss of business to the impacted companies. Cases like these may play a role in why organizations hesitate to report these crimes.

Federal agencies don’t do a very good job communicating with each other, either, which has hindered the trust organizations may have in reporting cyber crimes. And organizations aren’t always sure what agency to contact after a data breach. The FBI, CISA, the U.S. Secret Service and the Internet Crime Complaint Center (IC3) are all agencies that accept reports of cyberattacks, and there are some guidelines available that outline when to reach out to the federal government about an attack.

Law enforcement continues to make new strides

The way law enforcement handles data security is changing.

For one thing, regulations around industry-based data privacy rules now require incident reporting. It could also be that incidents are more commonplace, so the reputational hit isn’t as severe. The federal government has put more effort into improving cybersecurity defenses and support systems. As a result, these agencies now have mechanisms in place to help organizations remediate cyber incidents.

For instance, the FBI has encryption keys for the most popular ransomware families to share with victim organizations. When this information is shared, an IC3 report stated, “individual complaints are combined with other data, it allows the FBI to connect complaints, investigate reported crimes, track trends and threats and, in some cases, even freeze stolen funds.”

The more data law enforcement has, the better it can step up its attempts to address cyber crime. In turn, they will use that information to help private and public organizations remediate attacks. As law enforcement provides encryption keys or offers details about how an attack can impact your network, companies will see a lower financial impact from a data breach.

More from Data Protection

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today