Cybersecurity

Half of Cyber-Attacks Go Unreported

Fear, ignorance and forgetfulness are some of the reasons for widespread shortcomings in reporting cyber-attacks and breaches, both internally and externally, according to a new global survey conducted by Keeper Security.

The study, Cybersecurity Disasters Survey Incident Reporting & Disclosure, was published on September 26, 2023.

It found that, despite cyber-attacks being top of mind for IT and security leaders 40% of them said they had experienced one and 74% admitted they were concerned about a future “cybersecurity disaster” impacting their organization.

The report also showed worrying shortcomings when reporting attacks, with 41% not reported to internal leadership and nearly half (48%) keeping incidents a secret from the appropriate authorities.

Why is Cybercrime Underreported?

When asked about the reasons for their lack of internal disclosure, a combined 48% of IT and security leaders said they did not think leadership would care about a cyber-attack (25%) or would respond to it anyway (23%).

The lack of reporting to authorities was largely based on the fear of repercussion (43%) and short-term concerns about harm to the organization’s brand (36%), followed by a feeling it was unnecessary (36%) and forgetfulness (32%).

“These responses underscore the importance of business leaders creating and upholding a culture of transparency, honesty and trust when it comes to cybersecurity. Cybersecurity is a shared responsibility and a fear of repercussion should never deter employees from reporting incidents that stand to cause serious harm,” reads the report.

Reporting incidents to the government authorities is also a requirement in many countries, including the UK, the EU and the US.

In a May 2023 social media campaign to debunk cybersecurity myths, the UK Information Commissioner’s Office (ICO) insisted that “Reporting a cyber incident [does not] make the incident more likely to go public [but] means you can access the wealth of support available from the UK National Cyber Security Centre and the ICO.”