Published
- 7 min read
Ransomware Threats Underreporting
Ransomware Underreporting: A Global Challenge Obscuring the True Threat
Ransomware attacks are one of the most impactful cybersecurity threats globally, yet underreporting continues to distort the true extent of the problem. While some data, such as that from Canada, provides insight into how widespread underreporting can be, this issue is prevalent worldwide. Underreporting hinders effective policy-making and awareness, leaving gaps in both organizational defenses and national strategies to mitigate cyber threats. Below, we’ll examine underreporting from a global perspective, its impact, and what data from countries like Canada, the U.S., and across Europe reveals about this pressing problem.
1. Ransomware on the Rise: The Global Scale of the Threat
- Global Ransomware Surge: As of early 2024, ransomware attacks increased by 62% from the previous year, reflecting a broad surge across industries (Sophos 2024 Cyber Threat Report).
- Regional Snapshots:
- Canada: Canadian organizations report only 40-60% of ransomware incidents, according to estimates from the Canadian Internet Registration Authority (CIRA), citing fears of reputational and financial damage as top reasons for underreporting (CIRA).
- United States: The FBI’s Internet Crime Complaint Center (IC3) reported over 3,000 ransomware incidents in 2023 alone, yet cybersecurity experts estimate that the actual number may be twice as high due to underreporting, especially among smaller businesses (FBI IC3 Annual Report).
- European Union: The European Union Agency for Cybersecurity (ENISA) has also noted significant underreporting, particularly in critical sectors like healthcare and energy, despite the EU’s General Data Protection Regulation (GDPR), which mandates breach disclosures (ENISA Threat Landscape).
2. Factors Contributing to Ransomware Underreporting
- Legal Issues: Most companies have a
zero tolerance
policy towards “legally grey areas” and are routined in denying any involvment towards the subject in question. New laws and regulations making it illegal to pay ransom backfired completely. - Privacy as Second-Order Legal Issue: Confirming a succesful Cyberattack means for many Companies, confirming Data Breaches, making them risk harsh consequences and (in case of GDPR) very high fines.
- Reputational Concerns: Across regions, organizations worry that admitting to ransomware attacks will damage public trust, especially in sensitive sectors like finance, healthcare, and critical infrastructure.
- Legal and Regulatory Gaps: While some regions, like the EU under GDPR, enforce breach reporting, the lack of strict, uniform regulations worldwide allows many organizations to avoid public disclosures. In the U.S., for example, breach notification laws vary by state, and federal mandates are limited, making underreporting easy for many businesses. International companies have it easy to
choose their jurisdiction
for an attack on public, international infrastructure or servers. - Economic Impact and Recovery: Smaller businesses especially hesitate to report attacks due to the high costs associated with recovery, potential fines, and the risk of customer loss. This is notable in countries with less robust cyber incident response infrastructure, where many firms operate under the assumption that remaining quiet might avoid larger fallout.
- Regulatory Overhead: Being
GDPR compliant
is an ongoing process that needs a lot of work and expertise. Under the pressure of an ongoing attack, a company may notice they missed their mark in fulfilling those regulatory measures (like continous documentation, pentesting and self-checks) and are unable to catch-up with that on the fly, raising additional, legal concerns.
3. Recent Ransomware Incidents and Underreporting Examples
- Healthcare Sector in the U.S.: The 2023 ransomware attack on Prospect Medical Holdings in the U.S. shut down services across multiple hospitals, highlighting vulnerabilities in healthcare infrastructure. Although widely publicized, many healthcare facilities fail to report ransomware attacks, citing reputational risks and patient trust concerns (The New York Times).
- Energy and Utilities in Europe: European energy companies, which are frequent ransomware targets, often avoid disclosing incidents due to fears of public backlash and operational instability. Under GDPR, only data breaches must be reported, allowing ransomware incidents that do not involve stolen data to go unreported (European Commission Reports).
- Public Sector Example: In Canada, the Newfoundland and Labrador healthcare system suffered a major ransomware attack in late 2022, disrupting operations for weeks. This incident, although reported, is part of a broader pattern where underreporting skews the real impact on public services (Global News).
4. Implications of Ransomware Underreporting on Global Security
- Policymaking Challenges: Accurate threat data is essential for effective policy-making. Underreporting leaves cybersecurity agencies, especially those within governments, with an incomplete understanding of ransomware’s prevalence and impact, leading to policy gaps and insufficient resource allocation.
- Economic and Strategic Risks: Underreporting undermines national and international security strategies by making it difficult to predict attack patterns or identify high-risk industries. Businesses that underestimate ransomware risks may delay critical cybersecurity investments, leading to increased vulnerabilities across sectors.
- Vulnerable Sectors: Critical industries such as energy, healthcare, and public infrastructure are particularly at risk from underreporting. As these industries are essential for societal functioning, accurate data on ransomware incidents is crucial for understanding systemic vulnerabilities.
Steps Toward Better Ransomware Transparency
- Enhanced Reporting Standards: Adopting mandatory reporting regulations similar to the GDPR’s breach disclosure mandates could help increase transparency. However, an ideal framework would require all ransomware incidents—not just data breaches—to be reported.
- Public-Private Cybersecurity Partnerships: Governments can work with private-sector entities to encourage reporting and incident sharing through anonymized platforms, ensuring sensitive data remains protected while enhancing threat visibility.
- Support for Small and Medium Businesses: Given that SMBs are among the most affected but least likely to report ransomware, providing financial and technical assistance may incentivize them to disclose incidents, benefiting overall cybersecurity resilience.
Key Statistics on Ransomware Underreporting
Issue | Details & Insights | Sources |
---|---|---|
Cyber attacks are grossly underreported | A study revealed that 41% of known cyber incidents are not reported by employees, contributing to a significant underreporting of cyberattacks in organizations. | IT Brew |
Half of Cyber-Attacks Go Unreported | A report highlighted that almost 50% of cyber-attacks in 2023 were not reported to appropriate authorities, which can lead to inadequate responses and further vulnerabilities. | Infosecurity Magazine |
The Unseen Problem of Unreported Cybercrime | Studies show that only one in seven cybercrimes is reported, meaning over 85% of cybercrime remains hidden within organizations, making it difficult to effectively address or understand the full scale. | Anapaya |
Why Many Cyberattacks are Never Reported | Despite the presence of regulatory frameworks like in healthcare, many cyber incidents are not reported, causing a significant gap in data and response. | IDX |
Cyberattacks and Underreporting in Financial Sectors | Cyberattacks are often underreported in the financial sector, making it difficult to gauge the true scale of the threat and risks to the industry. | European Central Bank |
Underreporting Cyberattacks in Schools | Many school districts underreport cyberattacks to avoid negative publicity or backlash from parents and the media, further hindering the transparency of cybersecurity incidents in education. | EdTech Magazine |
Myths Around Reporting Cyber Attacks | The National Cyber Security Centre addresses common misconceptions that prevent organizations from reporting cyberattacks, urging a culture of transparency and accountability. | NCSC |
Most Security Breaches Go Unreported | Historically, a large percentage of security breaches go unreported. A survey of RSA conference attendees revealed that over 89% of incidents went unnoticed or undocumented in 2007, showing the issue hasn’t been solved in almost 20 years. | Dark Reading |
Why Security Incidents Often Go Underreported | Studies show that security incidents are underreported due to employee negligence or fear of repercussions, even when there are obligations to report them. | Security Intelligence |
Cybercrime in SMEs | Research into Small and Medium Enterprises (SMEs) highlights how they are particularly vulnerable to cybercrime, but often fail to report incidents due to resource limitations and lack of awareness. | ScienceDirect |
Risks of Internal vs External Theft | The risks of internal theft, especially through social engineering, are becoming a significant concern for organizations. Internal theft is now a major vector for cybercrime. | Lockton Affinity Advisor |
Cyberattacks in Canada | Cyberattacks are becoming more frequent in Canada, targeting critical infrastructure, retailers, and even non-profits. This rise in cybercrime is expected to continue into 2024. | Maclean’s |
Conclusion
The global cybersecurity landscape is heavily impacted by ransomware underreporting. While we took countries like Canada as example, cause the topic has been covered there more in depth and it also seems to have one of the largest blind spots (estimates go up to 90% of cases being unreported), the issue is universal in the entire EU, USA and pretty much the rest of the world.
It affects critical sectors, especially healthcare, energy, and finance. Enhancing transparency around ransomware incidents through improved regulation, robust public-private partnerships, and support for SMBs will be essential for tackling this hidden crisis and strengthening global cybersecurity defenses.
For further reading on ransomware and cyber threats, see the European Union Agency for Cybersecurity’s Threat Landscape (ENISA) and the Canadian Internet Registration Authority’s Cybersecurity Report (CIRA)