Fear of a bollocking leads to silence over data breaches

Fear, forgetfulness, poor corporate cyber culture and misunderstanding – and no doubt sometimes all four – are to blame for nearly half of all cyber attacks still not being reported, with many bosses paralysed when the time comes to step forward.

That is the damning conclusion of a new report by Keeper Security, which reveals that 48% of organisations that experience critical cyber incidents and disasters such as ransomware attacks do not report them to the appropriate authorities, and 41% do not even disclose cyber attacks to their boards, despite the fact that three-quarters (75%) said they felt guilty about it.

Despite calls from the Information Commissioner’s Office and the National Cyber Security Centre for openness and transparency is and that cooperation may lessen the severity of regulatory penalties, the report exposes major shortcomings in how organisations respond to and report attacks and breaches.

Among the top reasons, 43% of IT and security professionals feared repercussions for reporting incidents, 36% felt reporting was unnecessary, and 32% just plain forgot. Failure to report externally was additionally attributable to fear of short-term harm to the organisation’s reputation, and the potential for financial penalties.

Respondents to the report also revealed a strong desire for senior leadership to demonstrate more of a vested interest in the organisation and provide the resources and support needed to report and respond to attack.

Nearly half (48%) said that they did not think leadership would care about a cyber attack, and nor would they respond (23%). Nearly a quarter (22%) said their organisations had no system in place to report a breach to leadership.

Preventative measures are usually less costly in the long run, both financially and from a brand reputation perspective. As such, adopting basic controls such as implementing proper credential hygiene and management will not only improve cyber hygiene, but help create a healthier cyber security culture within the business, the report maintains.

Keeper Security CEO and co-founder Darren Guccione said: “The numbers point to a need for organisations to make significant cultural changes around cyber security, which is a shared responsibility.

“Accountability starts at the top, and leadership must create a corporate culture that prioritises cyber security incident reporting, otherwise they will open themselves up to legal liabilities and costly financial penalties, and place employees, customers, stakeholders and partners at risk.”