For individuals employed in the information security and cybersecurity sectors, the technical consequences of a data breach are commonly comprehended. However, for those outside these technical roles, like executives, operators, and business support units, articulating the actual impact of a breach can be challenging. Hence, describing impacts using measurable financial values and other simple metrics establishes a fairly equitable platform for most stakeholders, including law enforcement.
The 2024 Cost of a Data Breach (“CODB”) Report from IBM helps elucidate the financial implications when law enforcement is engaged in the response. Specifically, the CODB report, which examined over 600 organizations, revealed that with law enforcement support during a ransomware incident, the breach cost diminished by an average of $1 million, excluding any ransom payments. This marks an increase compared to the 2023 CODB Report where the variance was around $470,000.
Nevertheless, law enforcement collaboration is not omnipresent. For instance, in instances of ransomware attacks, only 52% of the respondents involved law enforcement, with the majority of those (63%) opting not to pay the ransom. Additionally, the CODB Report demonstrated that law enforcement assistance contributed to a reduction in breach identification and containment time from 297 days to 281.
So, why do nearly half of the victims hesitate to reach out to law enforcement? Let’s explore a few potential reasons.
Awareness, shame, confidentiality, and faith
In the physical world, contacting local law enforcement via 911 is a sensible first step when victimized by a crime. However, there is no equivalent “911” for cyberattacks, and certainly no menu choices for ransomware, data theft, or destructive attacks. Even experienced incident responders often inquire of the victim, “Have you alerted law enforcement?” or “Have you filed an IC3 report?” Typically, the responses are “no” or “not yet” to the former, and “What’s that?” to the latter. Consequently, the awareness challenge persists.
Emotional reactions, such as shame, must also be considered. Imagine an employee pondering, “Did I trigger this by clicking on a wrong link?” Shame leads to hesitation, hence organizations and law enforcement alike must communicate that seeking assistance is acceptable. Furthermore, factor in another psychological aspect: threats issued by the perpetrator, cautioning victims against contacting law enforcement.
The confidentiality element is also critical, particularly from a business impact viewpoint. Decision-makers may be uncertain about the business repercussions of law enforcement intervention. Will the information go public? Will competitors get wind of it? What privacy assurances exist? All these questions are legitimate and likely crucial given the regulatory obligations concerning cybercrime reporting.
Trust underpins all these aspects, spanning from simple “Can law enforcement be trusted?” to straightforward “We lack faith in law enforcement.” These trust gaps need to be bridged.
Fostering relationships and the future of reporting
Handling a crisis necessitates not only proficiency but also trust, hence exchange business cards before the crisis hits. The identified issues can be preemptively tackled by initiating contact with law enforcement partners in times of non-crisis. Familiarize yourself with the capabilities of local agencies; arrange introductory meetings with officials from both state and federal levels.
Remember, a bit of “Customer Service 101” applies here. When the crisis erupts, who would you prefer: a general helpline or someone you’re acquainted with and trust?
Furthermore, the trajectory of cybercrime reporting is leaning towards more public exposure, such as the SEC reporting rules. Establishing relationships in advance can be beneficial. They can buy time and serve as extra support.
The argument for involving law enforcement from a cost-saving standpoint seems rather straightforward. Hence, it’s more of a cultural challenge. Make allies, cultivate mutual trust, and establish protocols. These steps can significantly mitigate the repercussions and costs of an attack.