Keeper Security, a front-runner in cloud-based zero-trust and zero-knowledge cybersecurity software, has unveiled unsettling findings from its "Cybersecurity Disasters Survey: Incident Reporting & Disclosure." The survey highlights significant inadequacies in reporting cybersecurity attacks and breaches, both within organizations and to external authorities.
Shortcomings in Cybersecurity Incident Reporting
The survey conducted by Keeper Security underscores the absence of comprehensive policies for reporting cyber incidents, even as the threat landscape continues to expand. A staggering 74% of respondents expressed concerns about potential cybersecurity disasters affecting their organizations, with 40% confirming prior encounters with cyber disasters. However, the reluctance to report breaches to internal leadership and relevant authorities remains a prevalent issue.
External Reporting: A Worrying Trend
A concerning 48% of respondents were aware of cybersecurity attacks that their organizations had failed to report to the appropriate external authorities. This reluctance to share crucial information hampers collaborative efforts to combat and mitigate cyber threats on a broader scale.
Internal Reporting Deficiencies
Internally, the situation does not fare much better, with 41% of cyberattacks remaining undisclosed to internal leadership. This lack of transparency can obstruct swift responses and impede the implementation of necessary security measures.
Low Reporting Rates and High Guilt
Among those who acknowledged failing to report attacks or breaches to leadership, a significant 75% admitted feeling "guilty" about their omission. This widespread underreporting is attributed to factors such as fear, forgetfulness, misunderstanding, and a suboptimal corporate cybersecurity culture.
Top Three Reasons for Non-Reporting
The survey identified the top three reasons for not reporting an attack or breach:
Fear of Repercussion (43%): Concerns about potential consequences deterred employees.
Belief That Reporting Was Unnecessary (36%): Some considered the incident inconsequential.
Forgetfulness (32%): Lapses in memory played a role in non-reporting.
Cybersecurity Lacks Priority in Organizational Culture
Surprisingly, despite the potential for severe long-term consequences, organizations still struggle with disclosure and transparency practices. Fear of short-term damage to the organization's reputation (43%) and concerns about financial impacts (40%) are the primary reasons behind non-disclosure.
The Need for Leadership Support
Respondents emphasized the crucial role of senior leadership in fostering a cybersecurity-conscious culture. Nevertheless, a combined 48% doubted that leadership would show concern (25%) or respond effectively (23%) to a cyberattack. Worryingly, 22% stated that their organizations had "no system in place" for reporting breaches to leadership.
Cultural Change Urged by Keeper Security CEO
Darren Guccione, CEO and co-founder of Keeper Security, stressed the urgency of cultural shifts within organizations regarding cybersecurity. “
The numbers point to a need for organizations to make significant cultural changes around cybersecurity, which is a shared responsibility,” said Darren Guccione, CEO and co-founder of Keeper Security. “Accountability starts at the top, and leadership must create a corporate culture that prioritizes cybersecurity incident reporting, otherwise they will open themselves up to legal liabilities and costly financial penalties, and place employees, customers, stakeholders and partners at risk.”
Embracing Cybersecurity Best Practices
Given the current high-risk cybersecurity environment, enterprises must promote transparency and honesty in reporting cyber disasters. Adopting best practices, policies, and procedures is critical to safeguarding against persistent threats. Simple yet crucial measures, such as password and privileged access management, play a pivotal role in fortifying organizations against cyber disasters and their potentially devastating consequences. ###