75% who didn't report cyber attack to leadership, felt guilty about it

Image via Pixabay

New research finds 40% of organizations have experienced a cybersecurity incident, however 48% didn't disclose those incidents to the appropriate authorities.

Keeper Security, a provider of cloud-based zero-trust and zero-knowledge cybersecurity software, released findings of its Cybersecurity Disasters Survey: Incident Reporting & Disclosure. The findings reveal widespread shortcomings in reporting cybersecurity attacks and breaches, both to internal leadership and external authorities.

The report, commissioned by Keeper Security, surveyed 400 IT and security leaders in North America and Europe to gain their insights on cyber disaster incidents, reporting and recovery. An independent research firm conducted the survey in 2023. For the purposes of this report, a cybersecurity disasters is characterized as any event that severely impacts the confidentiality, integrity or availability of an information system.

The survey reveals 74% of respondents said they were concerned about a cybersecurity disaster impacting their organization, and 40% of respondents said their organization has experienced some type of cyber disaster. Despite these concerns, reporting breaches to a company’s leadership team and to proper authorities is often avoided.

External reporting: 48% of respondents were aware of a cybersecurity attack that their organization did not report to the appropriate external authorities.
Internal reporting: 41% of cyberattacks were not disclosed to internal leadership.

Of those who admit they’ve failed to report an attack or breach to leadership, 75% said they felt “guilty” for not doing so. Fear, forgetfulness, misunderstanding and poor corporate cyber-culture all contribute to widespread underreporting of security breaches.

The top three reasons why an attack or breach was not reported to leadership were: fear of repercussion (43%); thinking reporting was unnecessary (36%); forgetting to report the incident (32%).

Failure to report was largely based on the fear of short-term harm to the organization’s reputation (43%) and potential for financial impacts (40%).

Respondents also cited a strong need for senior leadership to demonstrate a vested interest in the organization’s cyber posture, and stand beside their IT and security teams, providing the resources and support they need to report and respond to attacks.

A combined 48% of respondents did not think leadership would care about a cyberattack (25%) nor would respond (23%).
22% said their organizations had “no system in place” to report breaches to leadership.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.