Cyber attacks are grossly underreported, study finds

When many employees see something, they don’t say something, according to a recent study on cybersecurity incident reporting.

Nearly one-half of surveyed IT and security personnel “were aware of a cybersecurity attack that their organization did not report to the appropriate external authorities,” Keeper Security said in a statement last week.

The survey of 400 North American and European tech professionals also indicated that employees don’t report 41% of known cyber incidents to an organization’s management.

This doesn’t mean employees are unaware of the risks of keeping quiet—or of their responsibility to speak up. Three-fourths of respondents who didn’t report a breach said they felt “guilty” about not doing so.

Several factors might discourage an employee from reporting an incident, Keeper’s results suggested. For example, 43% of respondents cited a fear of potential consequences, 36% assumed a report was unnecessary, and 32% simply forgot to take action.

According to Keeper, the results point to the need for a cultural shift around cyber reporting—including reassuring personnel they won’t get in trouble for speaking up.

“These responses underscore the importance of business leaders creating and upholding a culture of transparency, honesty and trust when it comes to cybersecurity,” the study said. “Cybersecurity is a shared responsibility and a fear of repercussion should never deter employees from reporting incidents that stand to cause serious harm.”

If your company needs to get its cyber strategy back on track, Keeper has a crucial tip: Your organization’s top brass is essential to setting the tone. Almost half of respondents said they didn’t believe their company’s leadership would respond to or care about reports of a cyberattack.

Another tip? Make sure your firm has a clear channel for disclosing incidents to management. About 22% of respondents said their company lacked such a system, which means those companies may be “opening themselves up to legal liabilities, compliance risks and costly financial penalties,” Keeper said.