Whether it’s ransomware, business email compromise (BEC), or phishing attempts, the number of cyber attacks keeps rising year after year. While there’s solid data on the volume, there’s a caveat, which is that organizations don’t want to disclose that they’ve suffered a data breach.
According to Arctic Wolf’s “The State of Cybersecurity: 2023 Trends” report, 50% of organizations experienced a breach in the past year — the same odds as flipping a coin. Out of those affected organizations, 72% did not disclose the breach when it occurred. Of the 28% that did disclose, the disclosure was limited to “some” of the breach details.
While some compliance regulations mandate breach disclosures, it’s not a universal requirement and it’s understandable that organizations wouldn’t want to publicize such bad news. While it’s clear there is a culture of secrecy around breaches, the question of why is more complex.
Why Organizations Don’t Disclose Breaches
Based on the data from the report mentioned above, there are five reasons why businesses are keeping quiet after a cyber attack:
- 38% stated “we did not disclose to the public for fear of damage to our reputation”
- 33% stated “we did not disclose because we were not required to”
- 31% stated “we did not disclose for fear of internal repercussions or career consequences”
- 25% stated “we did not disclose to our insurance providers for fear of policy changes”
- 1% stated “other” as their reason
Each of the above reasons is understandable. Reputation damage is real, especially for publicly traded companies or trusted brands. In the financial sector, it’s been reported that 67% of consumers notified of fraud changed their credit union or bank.
There’s also the risk of losing your job or struggling to find an external position if you’re an employee where a data breach took place. Not to mention that cyber insurance is becoming more complicated, and it can be difficult for organizations to meet the mounting requirements, especially if a lapse in security practices led to the breach.
Should Organizations Disclose a Breach?
The above statistics show valid reasons why organizations would choose not to disclose if they were victims of a cyber attack, but if the business world is to stay ahead of mounting cyber threats, all organizations should disclose incidents. While organizations may be afraid to disclose because it inherently admits there was a flaw within their security system or they lacked certain security efforts, that’s often not the case. There are zero-day exploits, unexpected vulnerabilities, social engineering attacks, and of course, skilled and dedicated attackers.
None of those variables are a reflection of the hacked organization’s security efforts, and disclosure can help future organizations understand where weaknesses lie or what to be on alert for.
“These organizations have an opportunity to help the security community if they chose to disclose some aspects of their breach,” says Arctic Wolf Field CTO Christopher Fielder. “My hope is that in the future, organizations will be more open with this information. Making indicators of compromise, method of attack, and unique characteristics of the situation known can in turn educate other practitioners on what to look for in their own environments.”
Learn more about how breaches happen with “The Top 5 Cyber Attack Vectors”
Understand how organizations are responding changes within the cyber landscape with “The State of Cybersecurity: 2023 Trends.”
