Majority of Cyber Crimes Not Reported
A survey undertaken by accounting firm KPMG of the leading companies in 12 countries concluded that almost 10% had experienced a cyber-security breach during the past twelve months, but that the majority of these companies did not take any legal action against the offenders. A representative of KPMG was quoted as saying: "What we see in the cases that are reported to us is that companies are far more concerned in recovery of assets and keeping their names out of the newspapers than they would be about prosecutions. If they report their losses to regulators or law enforcers, then the focus of any investigation generally becomes the prosecution of offenders." He also added: "The majority of frauds are committed by people inside the company. If someone has broad knowledge, they are more capable of bypassing any procedures they might have."
From an article published on www.zdnetasia.com
RUSecure™ guidelines state that an Information Security incident must be reported to outside authorities whenever this is a requirement for compliance with legal requirements or regulations. By not reporting such an incident where it is legally required that you do so, your organisation may be unwittingly aiding or abetting an offence. If you believe a crime has been committed, the following actions are strongly recommended:
- Contact the relevant regulatory body and / or law enforcement agency, as appropriate
- You may wish to take legal advice about the severity of the offence
- Gather evidence to prove malicious intent, especially if the suspects are members of staff; but consider carefully the validity of such evidence before reporting it to a third party
- Consider how best to support the investigative process with the minimum breach to your Information Security. You may wish to use a specialist Information Security organisation if you lack in-house expertise.
For further information on the above security issues and recommended actions, please refer to the following RUSecure S.O.S. topics:
- Reporting Information Security Incidents to Outside Authorities (130102)
- Collecting Evidence for Cyber Crime Prosecution (060103)
- Recording Evidence of Incidents (Information Security) (070401)
