Bitdefender released its 2023 Cybersecurity Assessment report Wednesday, which surveyed more than 400 IT and security professionals located in the U.S., U.K., Germany, France, Italy and Spain. Job titles ranged from junior managers to CISOs, and participants worked in enterprises with 1,000 or more employees.
The research examined the past year's threat landscape and highlighted key security challenges enterprises faced. One question it addressed was, "Have you ever been told to keep a security breach confidential or kept it confidential when you knew it should be reported?"
Transparency following an attack is an ongoing issue, in part because many enterprises fear full disclosure may affect their reputation negatively. Additionally, cyber insurance policies increasingly include notification requirement clauses. A victim could face penalties for reporting ransomware attacks to law enforcement before the insurer, for example.
Bitdefender's report highlights the current scope of this transparency problem. Fifty-two percent of surveyed respondents said their organizations suffered a data breach during the previous 12 months.
The percentage told to keep quiet was alarming, Bitdefender said.
2023 Cybersecurity Assessment, Bitdefender
"Perhaps even more shocking than the percentage of organizations to suffer a data breach is the fact that many IT leaders say they have been told to keep a security breach confidential when they knew they were obligated to report it," the report read.
The 2023 Cybersecurity Assessment determined that 42% of surveyed respondents said they were told to keep a breach confidential when they should have reported it, and nearly 30% said they had kept a breach confidential knowing it should have been reported.
When it comes to U.S.-based organizations, those percentages only increased. Seventy percent of U.S.-based respondents said they had been told to maintain breach confidentiality, while nearly 55% "said they had kept a breach confidential when they knew it should have been reported."
For comparison, the same percentages ranged from 44% to 54% for security professionals located in the U.K., Germany, Italy, Spain and France. Another notable factor Bitdefender mentioned was how the percentage varied depending on the department.
According to the report, "66% of human resource and employees in legal departments were told to keep a data breach quiet, compared to 45% of CTOs and 39% of CIOs."
Martin Zugec, technical solutions director at Bitdefender, told TechTarget Editorial via email that while the software vendor expected to encounter some level of the transparency issue, it was surprised by the prevalence. He said it was far more common than he anticipated.
"We can only speculate why they are being told to keep quiet -- but most likely it is due to fear of potential monetary backlash either through fines or needed resources (time and money) to alert stakeholders such as customers," Zugec said.
As for why keeping breaches confidential is more prevalent in the U.S. compared to countries in the European Union, Zugec said one possible explanation could be the significant penalties under the EU's General Data Protection Regulations.
He said he was interested to observe how new U.S. initiatives such as the White House's National Cybersecurity Strategy announced last month may affect regulatory responsibilities. To revert the dangerous trend of keeping breaches quiet, Zugec advised governments to realign incentives in favor of long-term security and cyber resilience investments.
The Bitdefender report also addressed the legal backlash of maintaining breach confidentiality. According to surveyed participants, the new laws requiring breach reporting in the U.S. and EU are causing increased concern over enterprises facing legal action. Fifty-five percent of overall respondents said they were worried about their companies facing legal action due to a breach being mismanaged. For U.S. respondents, that number was 78%.
Zugec emphasized that prompt reporting, transparency and effective incident response are all key to minimizing damage and maintaining trust with stakeholders following an attack.
Additionally, he said that just because a company decides to keep a security breach quiet, there is no guarantee it will stay that way as leaks from cybercriminals are becoming more common. Ransomware groups increasingly use public data leak sites to pressure victims into paying. Many times, a threat actors will threaten to leak stolen data before the victim organization has disclosed the attack.
"It must be engrained that keeping a security breach quiet can have serious negative consequences for a company," Zugec said.
Top threat concerns
The primary threat concerns for surveyed respondents last year were software vulnerabilities and zero-day exploits, followed closely by phishing campaigns and supply chain attacks. Ransomware came in at No. 4.
Bitdefender noted it was not surprised that software vulnerability threats surpassed phishing as the main point of concern for enterprises. Patching software vulnerabilities in a timely manner is an ongoing problem that attackers increasingly leverage. The threat has grown recently, as attackers exploit zero days and leverage known vulnerabilities at alarming rates.
"The fact that so many respondents recognize software vulnerabilities and supply chain attacks as their primary concern is a positive development and in line with our threat research and telemetry in 2022-2023," Zugec said.
While ransomware remains a consistent threat, Zugec said operators have evolved into profit-sharing criminal groups in recent years. Now, ransomware is just one possible final stage of the kill chain, he said. For example, an increasing number of threat actors are launching encryption-free ransomware attacks (sometimes referred to as extortionware) that solely attempt to exfiltrate victim data.
"The current trend of weaponizing known vulnerability exploits is another step in [threat actors'] evolution, and detailed as a new effective strategy for cybercriminals," Zugec said. "We have seen a marked increase in cybercriminals using vulnerabilities in popular platforms to cast an initial wide net, looking for targets using automation then handing it over to highly skilled teams if the target is deemed worthy of pursuing."
Arielle Waldman is a Boston-based reporter covering enterprise security news.