Concealing cyberattacks risks penalties and harms trust

Last month Bitdefender revealed that 70 percent of UK CISO have faced pressure to conceal security incidents, cyberattacks and breaches.

But compliance training specialist Skillcast is warning that this could risk regulatory penalties and erode trust. The concern is heightened by escalating threats, with 612,000 UK businesses and 61,000 UK charities reporting a cyber breach or attack in the past year, with the average cost of the most disruptive breach reaching £3,550 ($4,790) for businesses and £8,690 ($11,730) for charities.

Vivek Dodd, CEO at Skillcast, says:

Amid what feels like a cybersecurity pandemic for UK businesses of all sizes, much of the debate on disclosure has centred on whether companies should be forced to report breaches. What’s often missed is why so many incidents are concealed in the first place. The reality is that too many executives and CISOs feel pressured to protect corporate reputation above compliance.

That pressure highlights systemic gaps in cybersecurity compliance training, culture and governance. Boards and CISOs need targeted programmes to understand not just their legal duties, but also the ethical and operational consequences of concealment. Without a culture of transparency, even the strongest frameworks risk being undermined by fear of reputational damage or internal pressure to suppress information.

Skillcast’s Careless Clicks report surveyed 200 UK finance professionals and finds that 82 percent believe they had been targeted in the past year and 85 percent feel confident spotting an attempt, however, 59 percent admitted clicking on a link they later thought was a phishing scam, with one in five saying this had happened ‘many times’.

To protect themselves Vivek recommends that businesses take proactive steps to address concealment and strengthen resilience. These include training leaders and boards on disclosure responsibilities so that senior executives and CISOs understand their legal duties and the ethical imperative to report incidents. Mandatory training for boards should become standard practice.

Firms also need to eliminate the pressures that push CISOs and staff into concealment. Compliance must be treated as a corporate value, not a box-ticking exercise. Simulations and practical exercises ensure leaders are ready to act transparently under real-world pressure. Firms should be able to demonstrate through training logs and compliance evidence that staff at all levels are equipped to respond appropriately.

Vivek adds, "This is not the time for complacency. With UK businesses facing tens of thousands of daily cyber attacks, and evidence showing even confident professionals fall for phishing, the risks are growing. Businesses that will thrive are those that act now -- embedding transparency as a core value, empowering their people to make the right decisions under pressure, and treating disclosure not as a compliance burden but as a foundation for trust and resilience.”

Do you think businesses should be forced to disclose details of attacks? Let us know in the comments.

Image credit: Bowie15/Dreamstime.com