New Study Reveals Cybercrime May Be Widely Underreported— Even When Laws Mandate Disclosure


ISACA’s State of Cybersecurity Report Also Finds Only 1 in 3 Organisations Highly Confident in Their Ability to Detect and Respond to Threats

While attack vectors remain largely the same year over year, attack volume will increase and cybercrime may be vastly underreported, according to the 2019 State of Cybersecurity Study from global IT and cybersecurity association, ISACA.

“Underreporting cybercrime—even when disclosure is legally mandated—appears to be the norm, which is a significant concern,” said Greg Touhill, Brigadier General (ret), ISACA Board Director, president of Cyxtera Federal and the first US Federal CISO. “Half of all survey respondents believe most enterprises underreport cybercrime, even when it is required to do so.”

Equally concerning, only 1 in 3 cybersecurity leaders (34 per cent) have high levels of confidence in their cybersecurity team’s ability to detect and respond to cyberthreats. The highest levels of confidence are correlated with teams that report directly into the CISO, and the lowest levels are correlated with teams reporting into the CIO. According to the study, 43 per cent of respondents say their teams report to a CISO, and 27 per cent report to a CIO.

“What we can conclude from this year’s study is that governance dictates confidence level in cybersecurity,” said Frank Downs, director of ISACA’s cybersecurity practices. “When the cybersecurity team reports directly to a designated and experienced cybersecurity executive, cybersecurity teams report having significantly more confidence in their team’s capability to detect attacks and respond effectively.”

These findings indicate the confusion enterprises experience when structuring cybersecurity with information technology. A CIO’s main goal is managing and implementing information technology, which is substantially different than securing and protecting it. In this reporting structure, cybersecurity can fall to a secondary consideration, leading to a team’s lack of confidence to be cyberready. In fact, a higher percentage of respondents are confident in cybersecurity reporting to the CEO than to the CIO.

ISACA’s State of Cybersecurity Study, sponsored by HCL, captures the perspectives of more than 1,500 individuals who define the field—cybersecurity managers and practitioners from across the globe. Part 1, released in March, highlighted workforce trends and challenges. Part 2, released today at Infosecurity Europe, covers attack trends.

According to State of Cybersecurity Part 2, the top three threat actors remain cybercriminals, hackers and nonmalicious insiders. Phishing, malware and social engineering top the list of prevalent attack types for the third year in a row. Ransomware is significantly down from 2018, with 37 per cent of organisations reporting that they experienced ransomware in last year’s study, compared to 20 per cent this year.

Just under half of organisations report an increase in cybersecurity attacks on their organisation this year, and 79 per cent say it is likely they will experience a cyberattack next year.

“The cyber landscape is complex. Cybersecurity, though in focus today, suffers from a siloed and static approach,” said Renju Varghese, Fellow & Chief Architect, CyberSecurity & GRC, at HCL Technologies Ltd. “Many teams are missing the attacks that significantly impact organisations because they don’t have the size or expertise to keep up with the attackers and are overwhelmed. Moreover, their existing security tools and processes are segregated and seldom work in tandem, leaving the teams staring at multiple consoles and drowning in alerts and incidents.”

However, by carefully analysing the variables that contribute to incident susceptibility and team inefficiency, organisations can better prepare themselves for the dangers presented by cyber miscreants, says ISACA’s Downs.  Specifically, analysing key organisational attributes identified in the State of Cybersecurity, such as cyber reporting structure, prevalent attack methods and team readiness through a culture of continuing professional education, organisations can increase their resilience to potential incidents.

State of Cybersecurity 2019 parts 1 and 2 are available as free downloads at The report is the latest research from ISACA’s Cybersecurity Nexus, which offers credentials, training, guidance and research for security professionals.

About the State of Cybersecurity Study
More than 1,500 cybersecurity professionals who hold ISACA’s Certified Information Security Manager (CISM) and/or CSX Cybersecurity Practitioner (CSXP) designations and positions in information in security participated in the online survey. The findings are presented in two reports, available at

Now in its 50th anniversary year, ISACA® ( is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by information and technology, and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organisations. ISACA leverages the expertise of its 460,000 engaged professionals—including its 140,000 members—in information and cyber security, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI® Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 220 chapters worldwide and offices in both the United States and China.