View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 5, 2023updated 28 Apr 2023 9:25am

Nearly half of UK businesses keep cyberattacks secret, new research claims

Security teams are withholding information on breaches despite often being legally compelled to reveal details.

By Claudia Glover

Almost half of UK businesses polled in new research admit to having kept a cybersecurity breach secret. What’s more, over a third of British companies questioned said they had not informed authorities of a cyberattack, despite often being under a legal obligation to do so.

IT teams often do not disclose data breaches to the proper authorities. (Photo by F8 Studio/Shutterstock)

The report, released today by security company Bitdefender, polled 400 organisations each with more than 1,000 members of staff in the UK, the US, Italy, France, Germany and Spain. 

Nearly half of surveyed UK businesses told to keep a data breach a secret

UK teams are not as secretive as their US counterparts. On the other side of the Atlantic 70.7% of those surveyed said they would keep a breach from the authorities, far higher than any other country surveyed.

In the UK, just over a quarter of respondents (25.71%) said their organisation had been totally open when suffering a breach. German companies are the most transparent, with 54.41% saying they had not hidden a breach, followed by France (50.75%), then Spain (50%) and then Italy (47.6%).

When it comes to experiencing a cyberattack, 74.67% of US companies said they had dealt with a breach within the last year. In the UK this figure falls to just over half (51.43%), with the least attacked nation being France at 41.79%. 

Martin Zugek, technical solutions director at Bitdefender, said he was shocked by the number of respondents keeping breaches from the proper authorities. “We were surprised by the prevalence of the issue, which was far more common than we had anticipated,” he said.

Zugek suggests that the EU’s GDPR, which imposes strict controls on data, and penalties for those who misuse it, may have a part to play in the disparity between the numbers in the US and Europe. “It will be interesting to observe the impact of a regulatory shift in responsibilities, as indicated by early initiatives such as NIS2 Directive or the US National Cybersecurity Strategy. To revert this dangerous trend, it is important for governments to realign incentives in favour of long-term investments in cybersecurity and cyber resilience,” he said.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

A lack of transparency in the industry

For many UK businesses, it is illegal to not report breaches. The UK data regulator, the Information Commissioner’s Office (ICO), lists the type of attacks which must be logged on its website. “You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay,” the watchdog said.

“Failing to notify the ICO of a breach when required to do so can result in a heavy fine of up to £8.7m or 2% of your global turnover.”

The rules are less clear in the US, said Eva Velasquez, CEO of the Identity Resources Centre, in a recent breach report. “The trend away from transparency points out the overall inadequacy of the current patchwork quilt of state data breach notification laws, many of which now date back to 2.005 when virtually all breaches involved paper records, lost or stolen laptops, or data tapes lost in transit. In 2022, cyberattacks caused 90% of all data breaches,” she said.

Quite apart from any penalties for non-disclosure, businesses that fail to deal with breaches risk negatively impacting their customers, Zugek says. “Disclosing a security breach helps customers and employees protect themselves from potential harm,” he explains. “For example, if the breach involved personal information such as credit card numbers or social security numbers, affected individuals can take steps to monitor their accounts and protect themselves from identity theft.”

There is also a risk of losing control of the narrative by acting in this way. “If a security breach becomes public knowledge through other means, such as media coverage or social media, the company’s response to the incident could have a significant impact on its brand reputation,” Zugek adds.

Read more: Vanuatu is showing small nations how to resist big cyberattacks

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU