Cover-ups still the norm in the wake of a cyber incident

Despite broad hints from the likes of the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC) that openness and transparency is the right choice in the wake of a cyber attack, and that cooperation may lessen the severity of regulatory penalties, victims are still paralysed with fear when the time comes to stepping forward, a report has revealed.

In a study of IT and security team leaders, titled Cybersecurity disasters survey: Incident reporting & disclosure, Keeper Security revealed that 48% of organisations that experience critical cyber incidents and disasters such as ransomware attacks do not report it to the appropriate authorities, and 41% do not even disclose cyber attacks to their boards – 75% said they felt guilty about keeping quiet.

Broadly, the findings of the report demonstrate major shortcomings in how organisations respond to and report attacks and breaches, many of which ultimately seem to point to deep-rooted cultural issues within businesses.

Keeper said that fear, forgetfulness, misunderstanding and poor corporate cyber culture all contribute to these failings. Among other things, 43% of IT and security pros feared repercussion for reporting incidents, 36% felt reporting was unnecessary, and 32% just plain forgot. Failure to report externally was additionally attributable to fear of short-term harm to the organisation’s reputation, and the potential for financial penalties.

“The numbers point to a need for organisations to make significant cultural changes around cyber security, which is a shared responsibility,” said Darren Guccione, CEO and co-founder of Keeper Security.

“Accountability starts at the top, and leadership must create a corporate culture that prioritises cyber security incident reporting, otherwise they will open themselves up to legal liabilities and costly financial penalties, and place employees, customers, stakeholders and partners at risk.”