Fear, ignorance and forgetfulness are some of the reasons for widespread shortcomings in reporting cyber-attacks and breaches, both internally and externally, according to a new global survey conducted by Keeper Security.
The study, Cybersecurity Disasters Survey Incident Reporting & Disclosure, was published on September 26, 2023.
It found that, despite cyber-attacks being top of mind for IT and security leaders 40% of them said they had experienced one and 74% admitted they were concerned about a future “cybersecurity disaster” impacting their organization.
The report also showed worrying shortcomings when reporting attacks, with 41% not reported to internal leadership and nearly half (48%) keeping incidents a secret from the appropriate authorities.
Why is Cybercrime Underreported?
When asked about the reasons for their lack of internal disclosure, a combined 48% of IT and security leaders said they did not think leadership would care about a cyber-attack (25%) or would respond to it anyway (23%).
The lack of reporting to authorities was largely based on the fear of repercussion (43%) and short-term concerns about harm to the organization’s brand (36%), followed by a feeling it was unnecessary (36%) and forgetfulness (32%).
“These responses underscore the importance of business leaders creating and upholding a culture of transparency, honesty and trust when it comes to cybersecurity. Cybersecurity is a shared responsibility and a fear of repercussion should never deter employees from reporting incidents that stand to cause serious harm,” reads the report.
Reporting incidents to the government authorities is also a requirement in many countries, including the UK, the EU and the US.
In a May 2023 social media campaign to debunk cybersecurity myths, the UK Information Commissioner's Office (ICO) insisted that “Reporting a cyber incident [does not] make the incident more likely to go public [but] means you can access the wealth of support available from the UK National Cyber Security Centre and the ICO.”
⚠️Cyber-attack myth 2
— ICO - Information Commissioner's Office (@ICOnews) May 18, 2023
❌Reporting makes it more likely to go public
✅ Reporting a cyber-attack means you can access the wealth of support available from the @NCSC and ICO. It’s also important to check if there’s regulatory requirement to report: https://t.co/7ndTI7XJP0 pic.twitter.com/jL5kfdrS2T
The survey was conducted on 400 It and security leaders throughout 2023 by Keeper Security and TrendCandy Research.
Read more: Board Members Struggling to Understand Cyber Risks