Keeper Security, the leading provider of cloud-based zero-trust and zero-knowledge cybersecurity software protecting passwords, passkeys, secrets, connections and privileged access, today released findings of its Cybersecurity Disasters Survey: Incident Reporting & Disclosure. The findings reveal widespread shortcomings in reporting cybersecurity attacks and breaches, both to internal leadership and external authorities.
Cybersecurity incident reporting falls short
Keeper’s survey shows a lack of policies for cyber incident reporting, despite the growing risk of cyberthreats. Nearly three-in-four respondents (74%) said they were concerned about a cybersecurity disaster impacting their organization, and 40% of respondents said their organization has experienced some type of cyber disaster. Despite these concerns, reporting breaches to a company’s leadership team and to proper authorities is often avoided.
- External reporting: 48% of respondents were aware of a cybersecurity attack that their organization did not report to the appropriate external authorities.
- Internal reporting: 41% of cyberattacks were not disclosed to internal leadership.
Incident reporting is low; guilt is high
Of those who admit they’ve failed to report an attack or breach to leadership, 75% said they felt “guilty” for not doing so. Fear, forgetfulness, misunderstanding and poor corporate cyber-culture all contribute to widespread underreporting of security breaches. The top three reasons why an attack or breach was not reported to leadership:
- Fear of repercussion (43%)
- Thinking reporting was unnecessary (36%)
- Forgetting to report the incident (32%)
Also Read: How to Identify the Top 5 Web Application Vulnerabilities
Organizational cultures do not prioritize cybersecurity
Despite the potential for long-term financial and reputational consequences, poor disclosure and transparency practices prevailed. Failure to report was largely based on the fear of short-term harm to the organization’s reputation (43%) and potential for financial impacts (40%).
Respondents also cited a strong need for senior leadership to demonstrate a vested interest in the organization’s cyber posture, and stand beside their IT and security teams, providing the resources and support they need to report and respond to attacks.
- A combined 48% of respondents did not think leadership would care about a cyberattack (25%) nor would respond (23%).
- Nearly one-fourth of all respondents (22%) said their organizations had “no system in place” to report breaches to leadership.
“The numbers point to a need for organizations to make significant cultural changes around cybersecurity, which is a shared responsibility,” said Darren Guccione, CEO and co-founder of Keeper Security. “Accountability starts at the top, and leadership must create a corporate culture that prioritizes cybersecurity incident reporting, otherwise they will open themselves up to legal liabilities and costly financial penalties, and place employees, customers, stakeholders and partners at risk.”
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
