Some things are better left unsaid…and for an alarming number of cybersecurity leaders, this includes material cybersecurity incidents.
According to a September report from cybersecurity and compliance company VikingCloud, 48% of cybersecurity leaders admitted to not reporting a material cyber incident to their board of directors and executive leadership team in the past year. The kicker? Almost nine out of ten (86%) of these leaders claim they didn’t report multiple breaches.
VikingCloud’s report is based on an online survey that queried 200 cybersecurity leaders with director-level and more senior titles. Almost three-fourths (72%) of businesses surveyed were located in the US, where the SEC requires public companies to disclose “material” cybersecurity incidents within four business days after discovery. Lauren-Brooke Waschak, a VikingCloud spokesperson, told IT Brew in an email it did not define what a material cybersecurity incident entails in their survey question.
Moving in silence. Security leaders had several reasons for keeping their security blips under wraps from higher-ups. Almost half (41%) said they didn’t share incidents with their leadership teams because they thought they could contain it internally without a formal disclosure.
Fear of repercussions was another factor that caused professionals to sweep incidents under the rug, with 40% claiming they didn’t report a cybersecurity incident because they believed their leadership team would react punitively. Other survey respondents said their company lacked internal reporting protocols or a “safe channel” where they could report without being disciplined, or they had feared that reputational and financial damage would follow if an incident became public.
Culture change. The report said underreporting cybersecurity incidents is a large risk for companies because it “hides the true scale of attacks and the company’s exposure, leading to false confidence in defenses.” VikingCloud recommended organizations maintain a strong culture of security.
“A strong cybersecurity defense requires creating a company security culture that provides a safe space for reporting all incidents,” the report stated. “It’s up to cyber and broader executive leadership to create those clear reporting protocols and establish a culture of continuous learning and improvement.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.