Almost half of UK businesses polled in new research admit to having kept a cybersecurity breach secret. What’s more, over a third of British companies questioned said they had not informed authorities of a cyberattack, despite often being under a legal obligation to do so.
The report, released today by security company Bitdefender, polled 400 organisations each with more than 1,000 members of staff in the UK, the US, Italy, France, Germany and Spain.
Nearly half of surveyed UK businesses told to keep a data breach a secret
UK teams are not as secretive as their US counterparts. On the other side of the Atlantic 70.7% of those surveyed said they would keep a breach from the authorities, far higher than any other country surveyed.
In the UK, just over a quarter of respondents (25.71%) said their organisation had been totally open when suffering a breach. German companies are the most transparent, with 54.41% saying they had not hidden a breach, followed by France (50.75%), then Spain (50%) and then Italy (47.6%).
When it comes to experiencing a cyberattack, 74.67% of US companies said they had dealt with a breach within the last year. In the UK this figure falls to just over half (51.43%), with the least attacked nation being France at 41.79%.
Martin Zugek, technical solutions director at Bitdefender, said he was shocked by the number of respondents keeping breaches from the proper authorities. “We were surprised by the prevalence of the issue, which was far more common than we had anticipated,” he said.
Zugek suggests that the EU’s GDPR, which imposes strict controls on data, and penalties for those who misuse it, may have a part to play in the disparity between the numbers in the US and Europe. “It will be interesting to observe the impact of a regulatory shift in responsibilities, as indicated by early initiatives such as NIS2 Directive or the US National Cybersecurity Strategy. To revert this dangerous trend, it is important for governments to realign incentives in favour of long-term investments in cybersecurity and cyber resilience,” he said.
A lack of transparency in the industry
For many UK businesses, it is illegal to not report breaches. The UK data regulator, the Information Commissioner’s Office (ICO), lists the type of attacks which must be logged on its website. “You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay,” the watchdog said.
“Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7m or 2% of your global turnover.”
The rules are less clear in the US, said Eva Velasquez, CEO of the Identity Resources Centre, in a recent breach report. “The trend away from transparency points out the overall inadequacy of the current patchwork quilt of state data breach notification laws, many of which now date back to 2.005 when virtually all breaches involved paper records, lost or stolen laptops, or data tapes lost in transit. In 2022, cyberattacks caused 90% of all data breaches,” she said.
Quite apart from any penalties for non-disclosure, businesses that fail to deal with breaches risk negatively impacting their customers, Zugek says. “Disclosing a security breach helps customers and employees protect themselves from potential harm,” he explains. “For example, if the breach involved personal information such as credit card numbers or social security numbers, affected individuals can take steps to monitor their accounts and protect themselves from identity theft.”
There is also a risk of losing control of the narrative by acting in this way. “If a security breach becomes public knowledge through other means, such as media coverage or social media, the company’s response to the incident could have a significant impact on its brand reputation,” Zugek adds.