A survey by Infosecurity Europe of 285 companies has found that a third of businesses do not report their information security crimes and breaches. Further to this, according to interviews Infosecurity Europe conducted with a panel of 20 Chief Security Officers (CSOs) of large enterprises, businesses are subject to attempted e-crime every day, but it is hard to establish at what point it becomes sensible to report it.
There is a balance to be made between the company’s responsibility to report crime in order to prevent and predict incidents in the wider business community and the clear material loss from reputational damage.
"From my experience as a media lawyer, reporting crime to the police is a double edged sword as invariably the press have found out about the incident within 24 hours of reporting it to the police, creating a real PR risk." Says media lawyer Jonathan Coad from Swan Turton.
The counter argument is given by Tony Neate, Managing Director, GetSafeOnline who says, “In order to be effective we need to know what the scale of the problem is, this can only be measured if we report incidents when they occur. How and who we report to is a matter for debate, whether it is the ISP, bank, or local police. Without collating the scale of the e-crime problem, we will never truly be aware of the cost to society at large and the measures that need to be put in place to fight it.”
Phillip Virgo, Secretary General, EURIM, comments on the findings, “We must stop patronising small firms and consumers if we want them to do serious business on-line. “How do they find out whether their system has been recruited into a botnet or if it is their firewall, operating system, browser and applications programmes fighting for supremacy? The time has come to respond to the needs of the customer for security tools they can understand, realistic advice, guidance and support on how to use them and for reporting systems that will route their enquiry to some-one who will respond - be it law enforcement or technical support."