A recent report from IT.ie and SonicWall highlights a pressing issue: many employees hesitate to report cybersecurity incidents, leaving organisations vulnerable to escalating threats. In today’s society with the advancements of AI technologies, cyberattacks are becoming increasingly more sophisticated, this reluctance is not just a workplace challenge—it’s a business-critical problem. In this blog we explore why employees are reluctant to report incidents, the consequences of unreported threats, and actionable solutions to foster a culture of transparency and accountability within the workplace.
The Impact of Unreported Cyber Incidents
Almost every employee will admit to receiving a suspicious email however few will admit clicking on a link within it or attempting to open an attachment. When cybersecurity incidents go unreported, their impact can be significant. The impact may not always be immediate; the average time for a breach to be discovered is 197 days . However, when cybercriminals decide to execute their access, their actions can have far-reaching consequences, including financial losses, operational disruptions, and reputational damage. The timing of a response is crucial. On average, it takes 69 days to contain a cyber breach. The GDPR (General Data Protection Regulation) requires high risk data breaches to be reported within 72 hours while the more recent NIS2 directive (Newtork and Information Systems) requires in scope organisations to flag incidents within 72hrs. A common theme between these two regulations is the need for awareness of a breach in the first incidence. While breach detection softwares are useful, they are only triggered when unusual activities occur, making employee reporting critical. Delayed responses allow threats to spread, increasing damage and making recovery more costly. Ignoring the early signs of an attack can result in stolen data, legal repercussions, and lost customer trust—a high price for avoidable oversight.
Why Employees Don’t Report Incidents
Understanding why employees hesitate to report potential incidents is the first step toward addressing the issue. Each organisation, irrespective of size, should ensure that they have a clear incident reporting policy which outlines how potential incidents should be reported and to whom. Training on incident reporting should also be included within annual security awareness training sessions for all employees. Some common barriers include:
- Blame Culture: Employees worry about being held responsible for security breaches, even when mistakes are unintentional.
- Ridicule: Some employees believe that their actions will be used as ‘exemplar material’ within the organisation. Additionally, some employees may feel that their age will be used against them: ‘younger, more technically savvy staff wouldn't have made that mistake’
- Lack of Understanding: Many employees are simply unaware of what constitutes a reportable incident and may fail to understand the potential consequences of lack of reporting.
- Lack of Responsibility: Employees can fail to understand that cyber risk is a whole organisation responsibility with many believing that the IT department will have total oversight for the organisation.
The recent survey by IT.ie and SonicWall underscores these points, revealing that nearly
half of employees feel uncertain about whether they should report suspicious activity. Such statistics highlight the urgent need for organisations to address these concerns and build trust.
Creating a Reporting-Friendly Culture
Fostering an environment where employees feel comfortable reporting incidents is critical. It is the role of senior management within the organisation to foster a positive culture for cyber security. The is best delivered from a ‘top-down’ approach, where senior management also feel comfortable to report potential incidents. Here are steps to achieve this:
- Implement a strong security awareness programme: Security awareness programmes should encompass all areas of good cyber hygiene including data protection, incident response and disaster recovery. While automated phishing simulation programmes are an essential part of security awareness, they are not compressive enough to address all areas needed including incident reporting.
- Educate Employees: Implement regular training sessions on recognising and reporting cyber threats. Use practical examples to demystify the process and reinforce the importance of early detection.
- Foster Psychological Safety: Make it clear that mistakes will occur in any environment and that reporting an incident will not result in blame or disciplinary action. When employees feel safe, they are more likely to come forward.
- Simplify Reporting Processes: Devise a clear, easy to follow policy for incident reporting and disseminate to all staff (including casual contractors or fixed term employees). It is essential that employees have clear channels for incident reporting (whether it is a specific form or monitored email address). The simpler the process, the more likely employees are to use it.
- Acknowledge and Act: Show employees that their reports were actioned and provide feedback on the outcome where appropriate. Whether it’s addressing vulnerabilities, enhancing security protocols or simply confirming that no action was required, demonstrates responsiveness and builds trust in the system.
Understanding Your IT Infrastructure
Knowing what constitutes ‘normal’ behaviour in your IT environment is essential for identifying anomalies. It’s also important to understand staff behaviour and normal business flows. Unusual behaviour within your network is an early indication of compromise. You can access our blog on Indicators of Compromise (IoCs) to learn more about how to detect early warning signs of an attack.
Conclusion
Addressing employee reluctance to report cyber incidents is essential for building a resilient cybersecurity posture. By fostering a culture of transparency, providing the right tools, and leading by example, business owners can create a cyber positive culture, helping to mitigate risks and protect their assets.
Take the first step to understanding your IT infrastructure by activating a free trial of our ITUS Protect software.
Sources
Varonis. “Data Breach Response Times,” Varonis, 2024. https://www.varonis.com/blog/data-breach-response-times
IT.ie. “73% of Office Workers in Ireland Say Staff Get Blamed for Cybersecurity Incidents,” IT.ie, 2024. https://it.ie/press-release-73-of-office-workers-in-ireland-say-staff-get-blamed-for-cybersecurity-incidents/
