Whether it’s ransomware, business email compromise (BEC), or phishing attempts, the number of cyber attacks keeps rising year after year. While there’s solid data on the volume, there’s a caveat, which is that organisations don’t want to disclose that they’ve suffered a data breach.
According to Arctic Wolf’s “The State of Cybersecurity: 2023 Trends” report, 50% of organisations experienced a breach in the past year — the same odds as flipping a coin. Out of those affected organisations, 72% did not disclose the breach when it occurred. Of the 28% that did disclose, the disclosure was limited to “some” of the breach details.
While some compliance regulations mandate breach disclosures, it’s not a universal requirement and it’s understandable that organisations wouldn’t want to publicise such bad news. While it’s clear there is a culture of secrecy around breaches, the question of why is more complex.
Why Organisations Don’t Disclose Breaches
Based on the data from the report mentioned above, there are five reasons why businesses are keeping quiet after a cyber attack:
- 38% stated “we did not disclose to the public for fear of damage to our reputation”
- 33% stated “we did not disclose because we were not required to”
- 31% stated “we did not disclose for fear of internal repercussions or career consequences”
- 25% stated “we did not disclose to our insurance providers for fear of policy changes”
- 1% stated “other” as their reason
Each of the above reasons is understandable. Reputation damage is real, especially for publicly traded companies or trusted brands. In the financial sector, it’s been reported that 67% of consumers notified of fraud changed their credit union or bank.
There’s also the risk of losing your job or struggling to find an external position if you’re an employee where a data breach took place. Not to mention that cyber insurance is becoming more complicated, and it can be difficult for organisations to meet the mounting requirements, especially if a lapse in security practices led to the breach.
Should Organisations Disclose a Breach?
The above statistics show valid reasons why organisations would choose not to disclose if they were victims of a cyber attack, but if the business world is to stay ahead of mounting cyber threats, all organisations should disclose incidents. While organisations may be afraid to disclose because it inherently admits there was a flaw within their security system or they lacked certain security efforts, that’s often not the case. There are zero-day exploits, unexpected vulnerabilities, social engineering attacks, and of course, skilled and dedicated attackers.
None of those variables are a reflection of the hacked organisation’s security efforts, and disclosure can help future organisations understand where weaknesses lie or what to be on alert for.
“These organisations have an opportunity to help the security community if they chose to disclose some aspects of their breach,” says Arctic Wolf Field CTO Christopher Fielder. “My hope is that in the future, organisations will be more open with this information. Making indicators of compromise, method of attack, and unique characteristics of the situation known can in turn educate other practitioners on what to look for in their own environments.”
Learn more about how breaches happen with “The Top 5 Cyber Attack Vectors”
Understand how organisations are responding changes within the cyber landscape with “The State of Cybersecurity: 2023 Trends.”