UK businesses face a huge hidden cyber risk that’s driving security practitioners mad: employees keeping quiet about cyber attacks.
More than one-third of office workers (39%) said they wouldn’t tell their cybersecurity team if they thought they had been the victim of a cyber attack – and it's not for a lack of security awareness.
A survey of 4,500 workers across EMEA by data security and management firm Cohesity found that British employees are more aware of cyber threats, such as ransomware, than their counterparts in France and Germany.
Almost half (43%) of UK employees know exactly what ransomware is, compared with just 28% of workers in France and 30% in Germany. Four-in-five (79%) said they were confident that they could identify a malicious cyber attack.
“Staying silent if they suspect a malicious cyber attack is quite possibly the worst thing an employee could do, particularly when they claim to know the dangers,” said Olivier Savornin GVP Europe at Cohesity.
"This reluctance to speak up leaves organizations in the dark and vulnerable to serious damage to the business."
So why are employees keeping quiet? According to the survey, 17% wouldn’t want people to think it was their fault, with the same number worried they'd get into trouble. One-in-eight said they were afraid of causing an unnecessary fuss.
This desire to hush things up is so serious that 11% said they would even try to fix the problem themselves, rather than seek official help from the company experts.
Drop the blame game, improve culture
Savornin noted that the research shows a big cultural change is needed to support workers and ultimately improve broader transparency in business.
“We need to create a workplace culture where people feel comfortable raising the alarm and are properly trained on how to recognize a cyber threat and the correct action to take - no matter how small the issue might seem," said Savornin.
Earlier this year, a survey from managed services company IT.ie found that 43% of office workers believed that they were at risk of causing a cybersecurity incident in the next 12 months.
Six-in-ten of these people blamed incomplete or non-existent cybersecurity training, with 31% blaming poor communication from management regarding cyber risks.
This isn't the first time that a reluctance to report incidents has been reported. In October last year, for example, Arctic Wolf's 2024 Human Risk Behavior Snapshot report found that a quarter of workers were too scared to report security problems.
They may have good reason for this fear, however, with a report from security firm Egress last year finding that just over half of employees caught out by phishing attacks were disciplined as a result.
Notably, four-in-ten were fired following an incident, and this only exacerbates long-term issues with reporting.
In some cases, staff have even been told not to disclose a breach. A 2023 survey from Bitdefender showed a cover-up culture had emerged at many enterprises.
The poll of 400 IT and security professionals found that nearly half of cybersecurity practitioners were told to keep data breaches under wraps by senior management figures.
Meanwhile, three-in-ten said they actively avoided disclosing a breach themselves despite specific processes being in place.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Almost a third of workers are covertly using AI at work
- Employee phishing training is working – but don’t get complacent
- Remote work is still causing security headaches for CISOs
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
AWS CEO Matt Garman just said what everyone is thinking about AI replacing software developersNews Junior developers aren’t going anywhere, according to AWS CEO Matt Garman
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malware
News Researchers say the tool is already achieving the “gold standard” in malware classification
-
Employee distraction is now your biggest cybersecurity riskNews Workplace distraction is the top reason organizations fall victim to cyber attacks, according to new research.
-
Apple just released an emergency patch for a zero-day exploited in the wild – here’s why you need to update nowNews Apple is warning millions of users of iPhones, iPads and Macs to update their software to protect against an out-of-bounds write vulnerability
-
Cyber teams are struggling to keep up with a torrent of security alertsNews Fragmented identity security processes are creating blind spots, and the proliferation of tools doesn't help
-
The Allianz Life data breach just took a huge turn for the worseNews Around 1.1 million Allianz Life customers are believed to have been impacted in a recent data breach, making up the vast majority of the insurer's North American customers.
-
US authorities just took down 'one of the most powerful DDoS botnets to ever exist’ with help from AWSNews The Rapper Bot botnet was responsible for a series of large-scale DDoS attacks on government agencies and tech companies. Now it's gone.
-
UK telecoms firm takes systems offline after cyber attackNews The Warlock ransomware group said it was selling a million stolen documents
-
Everything we know about the Workday data breach so farNews HR technology firm Workday has confirmed a data breach after threat actors gained access to a third-party CRM platform.
