Other than being illegal, such a culture can bring down the whole firm — including personnel who comply with the corporate negligence.
In a survey this year of 400 IT and security leaders around the world to gain their insights on cyber disaster incidents, reporting and recovery, some observations about incident reporting protocols and organizational culture shortcomings were noted. [Note: ‘cybersecurity disasters’ are defined here as any event that severely impacts the confidentiality, integrity or availability of an information system.]
For example, despite the growing risk of cyber threats, respondents reported a lack of policies for cyber incident reporting. In terms of external reporting, 48% were aware of a cybersecurity attack that their organization did not report to the appropriate external authorities. In terms of internal reporting, 41% cited that some cyberattacks had not been disclosed to internal leadership.
Of those respondents citing they had failed to report an attack or breach to leadership, 75% felt “guilty” for not doing so. Fear, forgetfulness, misunderstanding and poor corporate cyber-culture all contributed to the widespread underreporting of security breaches in the survey.
Failures in incident reporting
The top three reasons why an attack or breach was not reported to leadership by the respondents were:
- Fear of repercussion (43%)
- Thinking reporting was unnecessary (36%)
- “Forgetting” to do so (32%)
Respondents also cited a strong need for senior leadership to demonstrate a vested interest in the organization’s cyber posture and the conviction to stand beside their IT and security teams, providing the resources and support they need to report and respond to attacks:
- 25% of respondents did not think leadership would care about a cyberattack, while another 23% did not think their leadership would respond
- 22% of all respondents indicated that their organizations had “no system in place” to report breaches to leadership
According to Darren Guccione, CEO and co-founder, Keeper Security, which commissioned the survey: “Accountability starts at the top, and leadership must create a corporate culture that prioritizes cybersecurity incident reporting: otherwise they will open themselves up to legal liabilities and costly financial penalties, and place employees, customers, stakeholders and partners at risk.”