New Study Reveals Cybercrime May Be Widely Underreported—Even When Laws Mandate Disclosure

ISACA’s State of Cybersecurity Report Also Finds Only 1 in 3
Organizations Highly Confident in Their Ability to Detect and Respond to
Threats

SCHAUMBURG, Ill.–(BUSINESS WIRE)–#ISACA–While attack vectors remain largely the same year over year, attack
volume will increase and cybercrime may be vastly underreported,
according to the 2019
State of Cybersecurity Study from ISACA.

“Underreporting cybercrime—even when disclosure is legally
mandated—appears to be the norm,” said Greg Touhill, Brigadier General
(ret), ISACA Board Director, president of Cyxtera Federal and the first
US Federal CISO. “Half of all survey respondents believe most
enterprises underreport cybercrime, even when required.”

Equally concerning, only 34 percent of cybersecurity leaders have high
levels of confidence in their cybersecurity team’s ability to detect and
respond to cyberthreats. The highest levels of confidence are correlated
with teams reporting directly into the CISO, and the lowest levels are
correlated with teams reporting into the CIO. Forty-three percent of
respondents say their teams report to a CISO, and 27 percent report to a
CIO.

“What we can conclude from this year’s study is that governance dictates
confidence level in cybersecurity,” said Frank Downs, ISACA’s director
of cybersecurity practices.

These findings indicate confusion around structuring cybersecurity with
information technology.

ISACA’s State
of Cybersecurity Study, sponsored by HCL, captures perspectives of
more than 1,500 individuals who define the field worldwide.

According to this report, released today at Infosecurity Europe, the top
three threat actors remain cybercriminals, hackers and nonmalicious
insiders. Phishing, malware and social engineering are the most
prevalent attack types for the third year in a row. Ransomware decreased
significantly; 37 percent of organizations reported experiencing
ransomware in last year’s study, compared to 20 percent this year.

Just under half of organizations report an increase in cybersecurity
attacks this year, and 79 percent consider it likely they will
experience a cyberattack next year.

“Cybersecurity suffers from a siloed and static approach,” said Renju
Varghese, Fellow & Chief Architect, CyberSecurity & GRC, at HCL
Technologies Ltd. “Many teams are missing significant attacks because
they don’t have the size or expertise to keep up with attackers.
Moreover, their existing security tools and processes are segregated and
seldom work in tandem.”

However, by carefully analyzing variables contributing to incident
susceptibility and team inefficiency—including cyber reporting
structure, prevalent attack methods and team readiness through a culture
of continuing professional education—organizations can better prepare
themselves for dangers presented by cyber miscreants, says Downs.

State of Cybersecurity 2019 parts 1 and 2 are available for free
at www.isaca.org/info/state-of-cybersecurity-2019/index.html,
as part of ISACA’s Cybersecurity
Nexus, which offers credentials, training, guidance and research for
security professionals.

About ISACA

Now in its 50th
anniversary year, ISACA^® (isaca.org)
is a global association with 140,000 members who work in governance,
assurance, risk and innovation.

Contacts

Emily Van Camp, +1.847.385.7223, evcamp@isaca.org
Kristen
Kessinger, +1.847.660.5512, communications@isaca.org