IT Professionals are Pressured into Keeping Security Breaches Quiet

Malicious actors are increasingly using automation to conduct sophisticated attacks at scale and organizations are struggling to defend against attacks. IT teams are typically incredibly overworked and lack the resources they need to proactively improve defenses, instead they are bogged down reacting to threats and dealing with security incidents. Security teams are under pressure to prevent breaches, but when security breaches occur, they are often pressured into keeping the breaches private, even though there are often legislative requirements to report breaches, such as under the GDPR in Europe and industry regulations in the United States such as HIPAA.

According to new research conducted by Bitdefender, 42% of IT professionals have been told to keep a security breach private, even though there are legal requirements that require the reporting of data breaches. 30% said they followed those instructions and didn’t report the breach. Keeping quiet about data breaches is even more common in the United States, where Bitdefender says the number of IT professionals told to keep quiet about a breach increases to 7 out of 10. 55% of respondents expressed concern that their organization would face legal action as a result of the failure to disclose, which is unsurprising as data breaches have a habit of becoming publicly known.

The Bitdefender survey was conducted on 400 IT and security professionals in the United States, United Kingdom, France, Germany, Italy, and Spain. More than half of the respondents (52%) said they had experienced a data breach or the exposure of data in the past 12 months, with three-quarters of respondents (75%) admitting a breach in the past year in the United States.

The survey also probed respondents on the biggest threats, which were seen to be software vulnerabilities and zero-day threats, rated as the top concern by 53.9% of respondents, and phishing and social engineering with was a top threat for 52.2% of respondents. Supply chain attacks were the third biggest threat, cited as a top concern by 49% of respondents, closely followed by ransomware (48.5%).  Those fears are not unfounded. Bitdefender reports that there has been a significant increase in cyberattacks exploiting vulnerabilities over the past 12 months as proof-of-concept exploits are being weaponized quickly.

In order to improve defenses and the ability to react to security incidents, organizations are increasingly turning to managed security providers. This is understandable due to the difficulty in recruiting skilled staff due to the global shortage of cybersecurity professionals. 99% of respondents said they had started or will start using a managed security provider such as a managed detection and response service, and that it was a critical component of their security strategy. 45% of respondents said a MSP was essential for providing 24/7/365 security coverage, 36% said they lacked the skill set internally, and 35% said they need to free up resources internally.

There are several security myths that IT professionals would love to dispel that are making their lives harder, the most common of which is that security is solely the responsibility of the IT department when everyone in the organization has a security responsibility. The second most frustrating myths are mobile devices are immune to malware and threats, that their organization is not a target for cybercriminals, and that MFA and complex password requirements are not necessary.

When asked about the biggest cybersecurity challenges, the most common challenge was extending capabilities across multiple environments (43.5%), followed by complexity (43.2%), the lack of internal skill sets (36%), incompatibility with other security solutions (32.1%), reporting capabilities (28%), and too many alerts (26.8%).

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of