If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach?
A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was so difficult to catch cyber criminals, and the reputational and financial damage caused by reporting a cyber incident had many business leaders wondering if contacting local law enforcement and going public with the data breach could do any good. Certainly, no one would have even considered contacting a federal agency like the FBI.
Now, the business world is a lot more savvy about the risks and losses around cyber crime, and the methods used by threat actors have become more sophisticated. Ransomware attacks can weaken an organization, and data breaches have widespread consequences beyond corporate losses. Luckily, federal agencies are better equipped to handle cyber crime and they want citizens and organizations to report malicious activity.
“We recognize that many organizations may be reluctant to report incidents, but it’s vital that we shift to a culture where reporting becomes the norm and we provide victims with the support they need to respond and recover,” Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), told Cybersecurity Dive.
When you report a ransomware attack or data breach, federal agencies can then share the information across their networks to help prevent similar events from happening again. So why are some organizations still hesitating to report?
Costs of not reporting
Data breaches are costly. According to IBM’s Cost of a Data Breach Report 2023, the average cost of a breach is $4.45 million, an increase of 15% over the past three years. However, the cost difference between those who report the incident to law enforcement and those who don’t is vast.
“The average cost of a ransomware breach was $5.11 million when law enforcement wasn’t involved and $4.64 million when law enforcement was involved, for a difference of 9.6% or $470,000,” the report found.
Despite the cost differential, organizations still hesitate to report a data breach to law enforcement. The 37% of ransomware victims who didn’t involve law enforcement experienced both higher costs and a longer breach cycle. When law enforcement was brought in, the total time to identify and contain a breach averaged 273 days, compared to the 306 days it took those who didn’t report the attack. That’s an additional month of access threat actors have inside the network.
“Breaches are so expensive because they hit an organization in more than one area,” explained Security Scorecard. The costs surrounding downtime, paying the ransom and/or recovering the data, reputational loss, fines due to data privacy laws and mitigation processes quickly start to add up. The longer it takes to find and remediate the breach, means more data may be compromised.
For many companies, the default reaction to ransomware is to pay the ransom, get the data back and move on. However, you won’t find a lot of savings in paying the ransom. According to the report, paying the ransom will cut about $110,000 off the average cost of a data breach, but that doesn’t include the ransomware payment. So overall, you’ll pay more.
Read the full report
Is resistance to law enforcement changing?
The relationship between enterprise and law enforcement agencies when it comes to cybersecurity has been weak. Organizations typically fight against any laws that result in new regulations and compliances. This makes it unlikely that the U.S. will ever have a GDPR-type regulation or any sweeping cybersecurity bills. Without regulations in place to require reporting, organizations may find it against their best interest to report a data breach, ransomware or other cyber incident. The time commitment, the lack of prosecution of threat actors and the poor media coverage with residual reputational damage are all reasons why organizations don’t bother to report data breaches.
However, law enforcement agencies have also dropped the ball in how they handle cyber incidents. For example, after the Kaseya ransomware attack, similar to the SolarWinds security breakdown by compromising software used by thousands of customers, the FBI didn’t release the decryption key for weeks, causing a loss of business to the impacted companies. Cases like these may play a role in why organizations hesitate to report these crimes.
Federal agencies don’t do a very good job communicating with each other, either, which has hindered the trust organizations may have in reporting cyber crimes. And organizations aren’t always sure what agency to contact after a data breach. The FBI, CISA, the U.S. Secret Service and the Internet Crime Complaint Center (IC3) are all agencies that accept reports of cyberattacks, and there are some guidelines available that outline when to reach out to the federal government about an attack.
Law enforcement continues to make new strides
The way law enforcement handles data security is changing.
For one thing, regulations around industry-based data privacy rules now require incident reporting. It could also be that incidents are more commonplace, so the reputational hit isn’t as severe. The federal government has put more effort into improving cybersecurity defenses and support systems. As a result, these agencies now have mechanisms in place to help organizations remediate cyber incidents.
For instance, the FBI has encryption keys for the most popular ransomware families to share with victim organizations. When this information is shared, an IC3 report stated, “individual complaints are combined with other data, it allows the FBI to connect complaints, investigate reported crimes, track trends and threats and, in some cases, even freeze stolen funds.”
The more data law enforcement has, the better it can step up its attempts to address cyber crime. In turn, they will use that information to help private and public organizations remediate attacks. As law enforcement provides encryption keys or offers details about how an attack can impact your network, companies will see a lower financial impact from a data breach.