It is estimated that in 2021, the cumulative losses resulting from criminal activity on the Internet amounted to approximately USD 6 trillion [1]. World Bank data presenting the world’s largest economies currently rank the US (USD 20.9 trillion), China (USD 14.7 trillion) and Japan (USD 5 trillion) on the podium. A fictional cybercriminal country would push Japan to 4th place, while outclassing Poland, which would be ranked 22nd (0.6 trillion) in such a ranking.

The statistics quoted are to a large extent estimates. It is impossible to calculate the exact values of the losses. This is due to the fact that, to a large extent, these are intangible losses and it is very difficult to convert them directly into money. Another major challenge to accurately calculating the impact of cyber attacks remains the widespread failure to report cybercrime violations by businesses. This is a phenomenon that both the services in the USA and Poland are struggling with. The number of court proceedings regarding cybercrimes is incomparably lower than the number of cybersecurity incidents reported by security organizations. Statistical sources [2] show that these two measures are separated by several orders of magnitude. In the USA, the requirement to report ICT security incidents has been known for a long time, and in Poland it is also not new. Operators of key services, companies and local governments are required to report such incidents to CERT Polska, operating in NASK. Unfortunately, quite often incidents are not reported at all or their scale is underestimated. Research conducted by Karpersky showed that a few years ago, 40% of companies around the world consciously concealed security incidents. The same report emphasizes that concealing a situation often leads to dramatic consequences, increasing the damage. Even one unreported event can result in huge data leakage or damage to the entire infrastructure of the organization. Statistics show that disregarding and deliberately concealing incidents has a significant impact on the security of corporate data. According to the previously mentioned report [3], 46% of companies confirmed that incidents resulting from inappropriate actions of employees resulted in data leakage or compromised their security. More than a quarter of companies (28%) have lost customer information classified as confidential or very sensitive as a result of these employee negligence. 25% of the companies on the list have lost financial information, including payment information. These types of leaks can carry immediate financial losses and have a long-term impact on a company’s reputation. That is why it is so important to react quickly when a security incident occurs in the company. It is important to train employees so that they are able not only to see threats, but also to mitigate the risk with their behavior.

A separate problem related to the phenomenon of concealing cyber incidents and related losses is the fact that enterprises monitor incidents selectively. Companies, and especially large corporations, may be reluctant to report all incidents for fear of the potentially negative effects of disclosing this type of information. Admitting an incident could have an impact on the stock price, brand reputation or the imposition of financial penalties. Therefore, burglaries or leaks are not disclosed more than once, after the company has made an informed decision resulting from the analysis of the thresholds for the severity of the breach, as well as the legal and regulatory requirements.

In the aftermath of last year’s Solarwinds [4] attack, the United States stepped up its efforts to foster a broader public-private partnership with a strong emphasis on developing legislation that paves the way for more common mandatory incident reporting requirements. The new regulations are also implemented by Poland on the basis of EU regulations such as NIS2 and DORA [5]. However, the regulations alone may not be enough to improve the statistics of cybercrime reports. Solving this problem requires companies to better train their employees, support and encourage internal reporting of incidents, and above all, sharing this information with authorities, organizations operating in the cybersecurity industry and the public. Disclosure of this type of information and implementation of mechanisms for their exchange will contribute to increasing the effectiveness of deterrence and defense against the growing problem of cybercrime.