A survey by Infosecurity Europe of 285 companies has found that a third of businesses do not report their information security crimes and breaches.
Further to this, according to interviews Infosecurity Europe conducted with a panel of 20 chief security officers (CSOs) of large enterprises, businesses are subject to attempted e-crime every day. It is hard to establish at what point it becomes sensible to report it, though, they said: There is a balance to be made between the company’s responsibility to report crime in order to prevent and predict incidents in the wider business community and the clear material loss from damage to the businesses’ reputations.
“From my experience as a media lawyer, reporting crime to the police is a double-edged sword as invariably the press have found out about the incident within 24 hours of reporting it to the police, creating a real PR risk,” said Jonathan Coad, a media lawyer from Swan Turton.
The counterargument was given by Tony Neate, managing director of GetSafeOnline, who said: “In order to be effective, we need to know what the scale of the problem is. This can only be measured if we report incidents when they occur. How and who we report to is a matter for debate, whether it is the ISP, bank or local police. Without collating the scale of the e-crime problem, we will never truly be aware of the cost to society at large and the measures that need to be put in place to fight it.”