70% of US IT Leaders Told Not to Disclose Data Breaches
Not all cybersecurity breaches get reported. A new report from Bitdefender found that although IT leaders have an obligation to report attacks, over 42% of them have been told to keep quiet when a breach should have been reported. Shockingly, in the U.S., this number rises to 70.7%.
IT leaders may have reasons to keep attacks confidential, but the high rate of silence is alarming since it could further enable attackers and limit knowledge sharing about public vulnerabilities. Retaining confidentiality of data breaches may also go against new data breach laws in the U.S. and EU. But this is only one of many concerns around cybersecurity in 2023. IT professionals report grappling with rising threats, economic headwinds, and a shrinking staff lacking the proper security skills.
The Bitdefender 2023 Cybersecurity Assessment analyzed some of the top cybersecurity challenges organizations face in 2023. Below, we’ll examine the findings from the report and consider why a culture of silence exists around data breaches. We’ll look at the pressing cybersecurity threats across organizations and consider what solutions organizations need to evolve.
New Data on Concealing Breaches
Over half (51.7%) of organizations reported experiencing a data breach or data leak in the past 12 months. Software teams are facing a rising number of attacks across areas like vulnerable software, open source components and unknown dependencies. However, it turns out that many of these breaches weren’t handled with transparency in mind.
To reiterate, a shocking 42% of IT leaders have been told to keep a breach quiet when they know they should have reported it. And 29.9% admitted they have kept a breach confidential when they know it should be reported (a figure that rises to 54.7% in the U.S.). This data demonstrates a bit of integrity on the part of IT professionals to disclose breaches, but many face an uphill battle depending on the internal culture.
Interestingly, the culture around breach concealment changes drastically depending on the geography. While retaining confidentiality is relatively high in the U.S., it is far rarer in European countries. For example, in France and Germany, just 26.9% and 35% of IT leaders have been told to keep quiet regarding a breach, respectively.
Companies are likely worried about financial and reputational damage due to a data breach. Yet, if new regulations that require increased cybersecurity reporting are unmet, it could result in high legal repercussions and fines. As a result, 54.3% said they were worried about their company facing legal action due to a security breach being mismanaged. Again, in the U.S., where breach concealment is highest, 78.7% worried about facing legal action due to mishandling data breaches.
Top Cybersecurity Threats
Hackers have turned to weaponizing their actions and treating malicious actions as a lucrative business. So, what kind of threats are organizations most concerned about? This year, software vulnerabilities and zero-day attacks rank highest, at 53.9%. This makes sense, given the trend of high-risk remote code execution vulnerabilities discovered, from SUNBURST to the infamous Log4j vulnerability. This risk is followed by social engineering threats and phishing attacks (52.2%), supply chain attacks (49%) and ransomware (48.5%).
Unfortunately, most IT and cybersecurity professionals (72%) reported their company had seen an increase in the sophistication of phishing attacks. These psychological attacks take advantage of human weaknesses or the lack of awareness of internal employees. This underscores the need for a zero-trust approach to adequately safeguard digital environments in the age of the remote and hybrid workforce.
To address persistent security concerns, nearly 74% said they planned to increase their security budget for 2023. A full 93% also said proactive threat hunting is very important to detect and respond to threats.
Yet, vendor solutions aren’t always living up to the market hype. Leaders reported the most significant challenge with security solutions was extending capabilities across multiple environments. This makes sense, given a company’s IT stack is often quite varied and uses multiple deployment locations. This challenge is followed by complexity, a lack of skill sets and incompatibility with other security solutions.
Final Thoughts
No one is completely immune from cybersecurity threats, and the role of addressing security is becoming more of a company-wide issue. The report found that the biggest myth around cybersecurity is that “security is solely the responsibility of the IT team.” It will take greater awareness to instill a culture of security best practices to limit insecure coding and thwart social engineering tactics.
The bar is quite high for security—and resolving security vulnerabilities won’t likely rest on a single technical solution provider. At the same time, organizations appear to desire comprehensive solutions compatible with various IT stacks and other tools. They must also expunge myths like “our organization is not a target for cybercriminals,” an attitude that may live on due in part to a lack of disclosure around exploits and leaks.
Conducted by Censuswide, the Bitdefender 2023 Cybersecurity Assessment surveyed 400 IT professionals working in organizations with over 1,000 employees in the U.S., Italy, UK, Germany, France and Spain. For further insights, you can pick up a copy of the report behind an email gate here.
