Post-breach disclosures remain a rarity, despite constant warnings from cyber authorities that they can only help organizations if incidents are brought to their attention.
While half of organizations suffered a data breach in 2022, nearly three-quarters of those breached chose not to disclose the information, according to a report released Thursday by Arctic Wolf.
“Some organizations unfortunately still believe there is a stigma around data breach disclosure and fear that being breached means that they are not actively protecting their environments,” Christopher Fielder, field CTO at Arctic Wolf, said via email.
The rate and scale of cyber incidents shows any organization can be subject to a breach and “this shouldn’t be seen as a total sign of organizational weakness,” Fielder said.
The concerns leading organizations to withhold information are aplenty, the cybersecurity firm said. Reputational damage, career impact, potential follow-up breaches, insurance premium hikes and a lack of legal obligations were the top excuses listed by IT professionals in a survey.
”Every organization is going to come up with their reason to justify why they didn’t disclose, but at the end of the day that causes more harm than good,” Fielder said. “Businesses shouldn’t have to suffer in siloed silence anymore.”
Ransomware, unsurprisingly, remains organizations’ top cybersecurity concern in 2023. More than 2 in 5 organizations represented in the survey said they were hit by a ransomware attack last year.
The vast majority of organizations hit by ransomware attacks are also choosing not to follow the advice of authorities with respect to ransom payments.
Nearly three-quarters of companies impacted by ransomware attacks last year paid some part of the ransom either directly or through their insurance provider, the report found.
Variances in how those ransom payments were doled out suggests companies align their actions with the circumstances surrounding attacks.
Among organizations that paid a ransom last year, 2 in 5 paid the ransom in full, 1 in 5 paid a portion of the ransom, and 1 in 10 allowed an insurance provider or third party to pay a portion of the ransom on their behalf.
The report was based on a survey of 701 IT professionals at the director level or above across 13 countries.