Stop! Thief!
Does your cyberattack incident response plan include notifying the police? This is an important step that many organizations dismiss, but should consider. Today we’ll address some of the common reasons that companies give for not involving law enforcement, and explore why it’s time for a second look.
Reason 1: I don’t know how
This is a common complaint. Though a data breach is certainly an emergency for your business, it doesn’t meet the standard of a 911 call. So, who to contact? This will depend on your jurisdiction, but it’s information that you can readily gather by calling your local police detachment or law enforcement service jurisdiction to enquire as to the procedure for reporting a cybercrime. Police services understand and recognize that cybercrime can be just as serious as a “traditional” crime, so even if they do not have a specific unit assigned to investigate, they will know who you should contact. Today – before a cyber incident occurs – call the police and be sure to record phone numbers, website links, etc. All of this valuable information can go into your cyber incident/breach response playbook so it’s there when you need it.
Also note that the procedure for reporting can vary depending on the jurisdiction and the nature of the cyber incident, so document or bookmark that information so it’s at hand if you need it. Some locations require reports over the phone, while others will require an online filing to gather information. Where online reporting forms exist, they can be used as a double-check to ensure that you’ve considered risk mitigation and data gathering/reporting procedures for the different areas mentioned on the filing.
Reason 2: It’s not worth the hassle
On the contrary, it is worthwhile and important to report any cybercrime to law enforcement. Many police services nowadays have highly-trained, sophisticated cybercrime investigation units. For example, in Ontario, the Ontario Provincial Police (OPP) have established a “Cyber Operations Centre” and a special twelve-person cybercrime team that comprises certified cybersecurity specialists. A report made to this team will be taken seriously, and will be understood by the trained investigators involved. Similarly, in the City of Toronto, the Toronto Police Services (TPS) also have established a “Computer Cyber Crime (C3) Section” of the force dedicated to investigating cybercrime. These and other regional investigative specialists maintain communications with other teams and jurisdictions around the world, so they can provide real insights and resources to complement your own internal staff and trusted cybersecurity service providers in reacting to a breach.
The police genuinely want you to report cyber incidents, just as you would report any other kind of crime against yourself or your company. An incident affecting your operation could reveal one piece of information that could be critical in shutting down entire rings of criminal enterprise or coordinated attacks.
In addition, police services actively work to assist in efforts to raise cyber awareness among the general public. They can act as a central point for gathering and cross-referencing local threat data. Then, by sharing anonymized information about the latest trends, types of attack, and types of vulnerabilities, they can help everyone defend themselves more effectively. Good corporate citizenship can help you and the wider online community stay cyber safe.
Reason 3: Privacy Concerns
Many companies fear reporting a cybercrime, with concern that the incident will go public. A breach can have a significant impact on liability exposure and brand reputation, but it’s important to remember that the police fully understand and respect the sensitivity of an incident, and take every measure to maintain confidentiality. The police focus on attribution when investigating cybercrime, not causality – in other words, they are more concerned about tracking down and punishing the cyber criminals, and will not publicize the case, or pass judgement on the IT controls that may have contributed to the crime itself. Further, in the event of a breach that you do ultimately report to the public, demonstrating that you reported the incident to your cyber investigation team as well as law enforcement demonstrates to your stakeholders that you took every measure possible to react responsibly to the incident, and employed every resource at your disposal to resolve the matter.
While privacy breach disclosures are mandatory in many jurisdictions (in Canada, for example, through federal PIPEDA legislation and some provincial regulations), today it is not generally mandatory to report cybercrime to law enforcement. Trends may be changing in this regard: Australia has recently introduced legislation that compels victims of cybercrime to come forward and make a police report, and other jurisdictions are watching with interest. In Canada, financial organizations are now being “encouraged” to report cyber crime to police, as outlined in a 2019 report to the Standing Committee on Public Safety and National Security (recommendation #6). Time will tell whether encouragement will evolve into requirement.
Reason 4: Time is of the Essence
Some executives and IT professionals are concerned that time spent dealing with the police could be better spent dealing with the incident directly. The police understand and appreciate this concern, and make every effort to streamline the information gathering process and avoid creating any kind of impediment in your own internal investigations. Usually the information they want to gather will be the same details that your own internal team or cybersecurity/breach consultants will need, so there’s little extra effort in involving law enforcement as well. The police realize that acting quickly in the face of a cyber breach is critical in reducing impact and tracking down those responsible.
Conclusion
The next time you are reviewing your incident response plan, consider putting law enforcement notification into your playbook. You could be helping yourself and the community in a time of crisis. Contact ISA today to learn more.
Additional Resources
RCMP Cybercrime Strategy: https://www.rcmp-grc.gc.ca/en/royal-canadian-mounted-police-cybercrime-strategy
OPP Opens Cyber Operations Centre : https://www.opp.ca/news/#/viewnews/5d924107ce153
Government of Canada: https://cyber.gc.ca/en/cyber-incidents and https://www.getcybersafe.gc.ca/cnt/rsrcs/rcvr-scm-en.aspx
Trends in Cybercrime Reporting to Law Enforcement. Report is a 2019 analysis of 2017 data, but still provides interesting insights: https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/2019-r006/index-en.aspx