Despite broad hints from the likes of the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) that openness and transparency is the right choice in the wake of a cyber attack, and that cooperation may lessen the severity of regulatory penalties, victims are still paralysed with fear when the time comes to stepping forward, a report has revealed.
In a study of IT and security team leaders, titled Cybersecurity disasters survey: Incident reporting & disclosure, Keeper Security revealed that 48% of organisations that experience critical cyber incidents and disasters such as ransomware attacks do not report it to the appropriate authorities, and 41% do not even disclose cyber attacks to their boards – 75% said they felt guilty about keeping quiet.
Broadly, the findings of the report demonstrate major shortcomings in how organisations respond to and report attacks and breaches, many of which ultimately seem to point to deep-rooted cultural issues within businesses.
Keeper said that fear, forgetfulness, misunderstanding and poor corporate cyber culture all contribute to these failings. Among other things, 43% of IT and security pros feared repercussion for reporting incidents, 36% felt reporting was unnecessary, and 32% just plain forgot. Failure to report externally was additionally attributable to fear of short-term harm to the organisation’s reputation, and the potential for financial penalties.
“The numbers point to a need for organisations to make significant cultural changes around cyber security, which is a shared responsibility,” said Darren Guccione, CEO and co-founder of Keeper Security.
“Accountability starts at the top, and leadership must create a corporate culture that prioritises cyber security incident reporting, otherwise they will open themselves up to legal liabilities and costly financial penalties, and place employees, customers, stakeholders and partners at risk.”
Crying out for support
Respondents to the Keeper Security report also revealed a strong desire for senior leadership to demonstrate more of a vested interest in the organisation and provide the resources and support needed to report and respond to attack.
A total of 48% of respondents said that they did not think leadership would care about a cyber attack (25%), and nor would they respond (23%). Nearly a quarter (22%) said their organisations had no system in place to report a breach to leadership.
Guccione said that in the current high-risk security environment, it is becoming critical for organisations to encourage more transparency and a sense of honesty when it comes to incident reporting, and to adopt best practices, policies and procedures to safeguard against threats escalating into incidents in the first place.
Preventative measures are usually less costly in the long run, both from a financial perspective and a brand reputation standpoint. As such, adopting basic controls such as implementing proper credential hygiene and management will not only improve cyber hygiene, but help create a healthier cyber security culture within the business, the report said.