Cybersecurity

Cyber attacks are grossly underreported, study finds

An internal culture of fear or apathy can prevent employees from speaking up.
article cover

Luis Alvarez/Getty Images

less than 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

When many employees see something, they don’t say something, according to a recent study on cybersecurity incident reporting.

Nearly one-half of surveyed IT and security personnel “were aware of a cybersecurity attack that their organization did not report to the appropriate external authorities,” Keeper Security said in a statement last week.

The survey of 400 North American and European tech professionals also indicated that employees don’t report 41% of known cyber incidents to an organization’s management.

This doesn’t mean employees are unaware of the risks of keeping quiet—or of their responsibility to speak up. Three-fourths of respondents who didn’t report a breach said they felt “guilty” about not doing so.

Several factors might discourage an employee from reporting an incident, Keeper’s results suggested. For example, 43% of respondents cited a fear of potential consequences, 36% assumed a report was unnecessary, and 32% simply forgot to take action.

According to Keeper, the results point to the need for a cultural shift around cyber reporting—including reassuring personnel they won’t get in trouble for speaking up.

“These responses underscore the importance of business leaders creating and upholding a culture of transparency, honesty and trust when it comes to cybersecurity,” the study said. “Cybersecurity is a shared responsibility and a fear of repercussion should never deter employees from reporting incidents that stand to cause serious harm.”

If your company needs to get its cyber strategy back on track, Keeper has a crucial tip: Your organization’s top brass is essential to setting the tone. Almost half of respondents said they didn’t believe their company’s leadership would respond to or care about reports of a cyberattack.

Another tip? Make sure your firm has a clear channel for disclosing incidents to management. About 22% of respondents said their company lacked such a system, which means those companies may be “opening themselves up to legal liabilities, compliance risks and costly financial penalties,” Keeper said.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.