‘The worst thing an employee could do’: Workers are covering up cyber attacks for fear of reprisal – here’s why that’s a huge problem

Female office worker in an open plan workspace looking concerned while working on laptop.

(Image credit: Getty Images)

published 9 July 2025

UK businesses face a huge hidden cyber risk that’s driving security practitioners mad: employees keeping quiet about cyber attacks.

More than one-third of office workers (39%) said they wouldn’t tell their cybersecurity team if they thought they had been the victim of a cyber attack – and it's not for a lack of security awareness.

A survey of 4,500 workers across EMEA by data security and management firm Cohesity found that British employees are more aware of cyber threats, such as ransomware, than their counterparts in France and Germany.

Almost half (43%) of UK employees know exactly what ransomware is, compared with just 28% of workers in France and 30% in Germany. Four-in-five (79%) said they were confident that they could identify a malicious cyber attack.

“Staying silent if they suspect a malicious cyber attack is quite possibly the worst thing an employee could do, particularly when they claim to know the dangers,” said Olivier Savornin GVP Europe at Cohesity.

"This reluctance to speak up leaves organizations in the dark and vulnerable to serious damage to the business."

So why are employees keeping quiet? According to the survey, 17% wouldn’t want people to think it was their fault, with the same number worried they'd get into trouble. One-in-eight said they were afraid of causing an unnecessary fuss.

This desire to hush things up is so serious that 11% said they would even try to fix the problem themselves, rather than seek official help from the company experts.

Drop the blame game, improve culture

Savornin noted that the research shows a big cultural change is needed to support workers and ultimately improve broader transparency in business.

“We need to create a workplace culture where people feel comfortable raising the alarm and are properly trained on how to recognize a cyber threat and the correct action to take - no matter how small the issue might seem," said Savornin.

Earlier this year, a survey from managed services company IT.ie found that 43% of office workers believed that they were at risk of causing a cybersecurity incident in the next 12 months.

Six-in-ten of these people blamed incomplete or non-existent cybersecurity training, with 31% blaming poor communication from management regarding cyber risks.

This isn't the first time that a reluctance to report incidents has been reported. In October last year, for example, Arctic Wolf's 2024 Human Risk Behavior Snapshot report found that a quarter of workers were too scared to report security problems.

They may have good reason for this fear, however, with a report from security firm Egress last year finding that just over half of employees caught out by phishing attacks were disciplined as a result.

Notably, four-in-ten were fired following an incident, and this only exacerbates long-term issues with reporting.

In some cases, staff have even been told not to disclose a breach. A 2023 survey from Bitdefender showed a cover-up culture had emerged at many enterprises.

The poll of 400 IT and security professionals found that nearly half of cybersecurity practitioners were told to keep data breaches under wraps by senior management figures.

Meanwhile, three-in-ten said they actively avoided disclosing a breach themselves despite specific processes being in place.

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

MORE FROM ITPRO

TOPICS

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.