Data Breaches and their consequences General Security Issues Ransomware, Phishing and other Malware Risk Analysis and Security Strategy

The Dark Figure of Cybercrime: Why SMEs Underreport Security Incidents

Last week, I made a short post about the difference between the perceived and actual threat to SMEs from cyber-attacks and scams, and whether there is any credible evidence to support a conclusion.  Taking a hard look at this and doing some research, I have concluded that there is credible evidence from academic research, surveys, and policy reports showing that many small and medium-sized enterprises (SMEs) tend not to report cybercrime incidents, and there are well-documented reasons why. This phenomenon is sometimes described as the “dark figure” of unreported crime in the cyber domain. 

We’ll take a look at some of that evidence later, but first, let’s turn to the gap between what people believe is happening and what the data shows is happening.  That gap is influenced by psychology, media coverage, reporting behaviour and visibility of incidents.

Let’s break it down into the categories mentioned above.

Perception of Cybercrime Against SMEs

This is shaped by:

Media Coverage

High-profile ransomware attacks or major breaches dominate headlines. They mostly involve large enterprises, and as a result SMEs often feel it’s only those large enterprises that are at risk.

Vendor & Security Marketing

Cybersecurity vendors often emphasise rising threats, which though real, are designed to amplify urgency to drive awareness and sales.  However, the use of fear, uncertainty and doubt or FUD, can have the opposite effect if it is seen as a sales tool rather than a real threat, which it all too often is.

Personal Experience

If an SME owner hears about peers being attacked, their perceived risk increases dramatically.  Staying quiet about attacks can lower the perceived need for defences.

Fear of the Unknown

Cyber threats are invisible and technical. Lack of understanding increases anxiety and exaggerates perceived exposure.  Taking a technical approach to educating business people is counterproductive and generally turns them off.

Underreporting Assumptions

Not all attacks are reported; in fact, the evidence suggests that the instance of underreporting is high.

Result

The result is that perception is often that, whilst cybercrime is constant. Underreporting of attacks on SMEs, coupled with the lack of education, and what education there is tends to be of a technical instead of business focused, leads many SMEs to view the threat as being covered off by technical barriers such as firewalls and anti-virus, and to be far more targeted at the corporate sector, not the SME sector.

Actual Level of Cybercrime Against SMEs

The actual level is measured by:

            •          Incident reports (law enforcement, insurers, regulators)

            •          Cybersecurity firm data

            •          Insurance claims

            •          Surveys with verified breaches

What data typically shows:

  • SMEs are frequent targets, especially for phishing, ransomware, and business email compromise.
  • Most attacks are automated and opportunistic, not targeted.
  • Many incidents are low-level (phishing attempts), not catastrophic breaches.
  • Severe attacks do happen, but not every SME experiences them.

The actual level is significant but uneven:

  • Some SMEs face repeated attacks.
  • Others may experience mostly low-impact attempts.
  • Many attacks are blocked before damage occurs.

Is Perception Higher or Lower Than Reality?

It can go both ways:

Perception is Higher Than Reality When:

            •          SMEs assume every business is constantly breached.

            •          Media focus on extreme cases.

            •          Attempts are confused with successful compromises.

Perception is Lower Than Reality When:

            •          SMEs believe “we’re too small to be targeted.”

            •          Minor incidents go unnoticed.

            •          Staff do not recognise breaches.

Interestingly, many SMEs underestimate their exposure before experiencing an attack, and overestimate overall catastrophic frequency after exposure.

In Summary:

The perceived level of cybercrime against SMEs is shaped by media attention, fear, and anecdotal experience, while the actual level is determined by measurable incidents and verified data. The gap exists because cyber threats are both highly publicised and often poorly understood.

Evidence That SMEs Often Don’t Report Cyber Crime

Survey data show high levels of non-reporting

A recent Europe-wide survey found that 44% of cybercrime incidents experienced by SMEs were not reported to anyone, not the police, not a regulator, not a service provider, and that only a minority of attacks were reported formally. 

The same EU study found that when SMEs did report incidents, it was more often to a service provider than to public authorities, and that many businesses simply handled incidents internally or judged them “too trivial” to report. 

Research identifies specific reluctance factors

Scholarly reviews and empirical work indicate that SMEs are less likely to report cyber incidents for reasons including:

  • Fear of reputational damage if customers or partners learn the business was breached.
  • Concern over regulatory or legal scrutiny once an incident is disclosed.
  • Perceived cost (time, money) of reporting, especially if there’s no regulatory obligation or clear benefit.
  • Belief that incidents are minor or can be more efficiently handled internally than involving law or regulatory bodies. 

These findings align with broader research on businesses and cybercrime reporting, noting that decisions to report are influenced by the perceived severity of impact and whether the firm prioritises cybersecurity or has formal incident-response capabilities. 

Structural and awareness challenges contribute to under-reporting

More general research into SMEs and cybersecurity shows that many smaller firms lack the awareness, training, resources, and formal incident-response processes that make reporting to authorities likely in larger firms. This lack of technical know-how and prioritisation often means incidents aren’t even recognised or escalated to reporting. 

Why SMEs Might Choose Not to Report

There are several reasons, and looking across studies and surveys, as well as my own experience, common themes emerge explaining this reluctance:

  • Risk perception: SMEs often don’t think they’re targets, underestimating the likelihood or impact of cybercrime. 
  • Internal handling: Many breaches are kept in-house, either managed by IT support or resolved without escalating to law or regulatory bodies. 
  • Reputational fear: Owners worry about being seen as vulnerable or incompetent. 
  • Cost of reporting: Time and money spent on reporting (especially when not legally required) can seem unjustified. 

Does Under-reporting Matter?

Under-reporting matters because it creates a gap in official data on the frequency with which SMEs are victimised by cybercrime. This “dark figure” undermines effective policymaking, resource allocation, and threat intelligence sharing between the private sector, law and regulatory bodies, all of which are vital for improving cybersecurity resilience across the economy. 

Finally I hope that this has provided you with a window into the lack of reporting of cybercrime, which is prevalent in, but not confined to, SMEs, and that it might encourage you to report crime if it occurs in your organisation.  I also hope that it might encourage you to look at your own defences with a critical eye and perhaps seek advice and guidance to keep you safe.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top