A recent survey by Bitdefender has pointed to a disturbing trend: Nearly half of IT professionals have been told to conceal data breaches and ransomware attacks within their organizations. Nearly 30% of these IT professionals admitted to keeping a breach under wraps instead of reporting it.
The survey not only revealed the trend of concealing security incidents but also explored on IT professionals’ top concerns. Among these concerns, the No. 1 issue, identified by approximately 54% of respondents, was software vulnerabilities and zero-days. Following closely behind were phishing attacks (cited by 52%), supply chain attacks (49%), ransomware (48.5%), and insider threats (36.5%). The survey polled about 400 IT and security professionals at companies that have 1,000 or more employees based in the U.S., UK, France, Germany, Italy, or Spain.
So, why are companies reluctant to disclose these security incidents? Beyond the exorbitant costs associated with combatting ransomware attacks and data breaches, companies can face severe financial penalties. Data breaches can also cause irreparable damage to a company’s reputation and strain relationships with colleagues and management. Some companies, devastated by ransomware attacks, have been forced to lay off staff and even shutter their operations entirely. Take the case of Rackspace, which, following a massive data breach in December 2022, laid off 4% of its global workforce. In addition to fearing for the reputation of their company, employees are understandably anxious about their job security.
Matt Coose, CEO of Qmulos, a cybersecurity compliance automation firm, suggested that the necessary confidentiality surrounding cybersecurity can create a certain “spycraft mystique,” making it tempting for unscrupulous employees to hide breaches, non-compliant systems, and poor management practices. “To ensure organizations are reporting breaches, oversight mechanisms such as regular external audits, mandatory reporting to regulatory bodies, and transparent data breach reporting frameworks can be implemented,” Coose said.
Silence Yields Detrimental Effects
The repercussions of remaining silent about data breaches can have long-term ramifications. Threat actors have demonstrated a preference for repeatedly targeting companies that do not report cyberattacks. Covering up breaches not only exposes organizations to legal and financial risks but also undermines the collective effort to improve cybersecurity.
IT professionals should champion a security culture that prioritizes continuous compliance, transparency, and collaboration, Coose said. By embracing technologies that boost regulatory compliance, the risk of mistakes and fraud can be mitigated, allowing IT professionals to focus on effectively addressing cybersecurity challenges through a shared commitment and knowledge exchange.
Organizations must create an environment where workers feel safe in making ethical choices regarding the reporting of data breaches. “This is why it is vitally important for organizations to create and foster a strong culture of ethics, governance, and transparency, with well-designed internal reporting channels and robust protections for internal whistleblowers,” Coose explained.
Furthermore, at the federal level, incentives for organizations that promptly report breaches could include reduced fines, public recognition for their commitment to transparency and integrity, or financial support to enhance cybersecurity measures, he added.
Increased Security Efforts Are the Only Way Forward
With new privacy regulations exerting immense pressure on CISOs, enterprises, and industry leaders, compliance is no longer optional. One foolproof way to avoid the ethical dilemma of reporting cyberattacks and data breaches is to double down on cybersecurity efforts.
“One strategy that can increase transparency while minimizing human errors and potential malfeasance is cybersecurity and IT compliance automation,” Coose said. “Utilizing automation in the compliance process can play a crucial role in reducing reliance on manual data collection and analysis, thereby minimizing opportunities for honest mistakes or intentional manipulation and obfuscation.”