The decision to escalate incidents to law enforcement is an area fraught with conflict. In your opinion, what are the pros and cons of law enforcement involvement? What resources and references can you cite to back up your assertions?
There are several positives to involving law enforcement in cybersecurity incidents. Firstly, in the event of an incident occurring due to a criminal act instead of a mistake by an employee or the company, law enforcement should be notified to handle the situation because their purpose is to stop criminals. They also have tools that can be used to locate data and criminals. Secondly, a company cooperating with law enforcement benefits from faster speed of the process and credibility from the perspectives of other parties and the public. Finally, law enforcement being involved makes the information usable in protecting other companies, as well as deterring future criminals when the current one gets a sentence for the incident.
However, there are reasons as to why companies don’t report cybersecurity incidents to law enforcement. One reason is companies may view the process as a time drain when it’s not possible to see the criminal stealing anything and are not able to grasp how detrimental the incident is. The lack of a legal requirement also doesn’t help with motivation when these types of incidents occur. Another reason is the belief that involving law enforcement will lead to bad press and the company being shamed by the public. Companies feel that kind of information getting out leads to an overall decrease in reputation and investment from shareholders.
Despite these reasonable beliefs, it is still a better choice to inform law enforcement about a cybersecurity incident within a company. While the process of ending the incident may take time, it is a worthwhile process for the company’s credibility to anyone who views them, law enforcement has another case to use as a tool for preventing more crimes, and the company has a better understanding of cybersecurity incident and how to protect themselves from future ones.
Current, S. (2018, March 12). Engaging with Law Enforcement When It Comes to Cybersecurity Incidents. SecurityCurrent. https://securitycurrent.com/engaging-law-enforcement-comes-cybersecurity-incidents/
Swinhoe, D. (2019, May 30). Why businesses don’t report cybercrimes to law enforcement. CSO Online. https://www.csoonline.com/article/567307/why-businesses-don-t-report-cybercrimes-to-law-enforcement.html