It is in the interest of the public and for matters of compliance that companies disclose any incidents of cybersecurity breaches such as hacking, ransomware, and other forms of cyberattacks. However, many companies are unwilling to disclose the occurrence of these incidents within their premises.
A recent survey by cybersecurity software Bitdefender has revealed that nearly half (42%) of over 400 IT professionals surveyed were told to keep quiet about any data breaches and ransomware attacks that occurred within their companies. Even more concerning is the finding that 29.9% of respondents even admitted having kept a breach confidential instead of reporting it to concerned authorities.
This trend of not disclosing threats has escalated just as cyberattacks have become more aggressive, with 52% of organizations experiencing a data breach within the past 12 months. This has arisen concerns among those in the cybersecurity sector, with law enforcement agencies estimating that the number of cybercrimes that go unreported by businesses is the millions.
Why the Cover-Up?
The question now arises: why are companies electing to hide their cybersecurity incidents? One possible reason is to project an image of security and invincibility to its customers and stakeholders and convey to them a sense of security, even if it is a manufactured one.
There is also an element of avoiding accountability at play. Given the legal and financial penalties companies face if they are found to be negligent in implementing cybersecurity controls and defenses, some businesses do not disclose their cybersecurity incidents to avoid being penalized. Otherwise, they might end up like what happened to IBS in 2020 wherein it was forced to pay $11 million to settle a class-action lawsuit brought by customers who were affected by a data breach that exposed their personal information.
One recent notable cover-up incident involved Uber wherein it attempted to cover up a hack back in 2016. This eventually came to light and resulted in the conviction of its former CSO Joseph Sullivan.
Cybercriminals are very much attuned to cybersecurity developments at the macro and company levels. As such, they very well know which companies tend to not report their cybersecurity incidences and have singled these companies out as prime targets for their attacks.
Repeated attacks are not a rarity. A recent Annual Data Breach Report by the Identity Theft Resource Center found that 41% of US companies have been breached multiple times in the past five years.
Regardless of the reputation at stake and the penalties involved for lack of due diligence in cybersecurity, it is still important for any company to faithfully report all instances of a breach or attack. The aforementioned drawbacks pale in comparison to the risk of another cyberattack, which may be more severe than the previous one wherein the company can no longer recover from.
It is important that for any cybersecurity measure to succeed, companies must do their part and report all incidents. Such reporting is critical in order to understand the nature of these threats and to be able to combat them effectively.