Fatigue and shortages: cyber teams intentionally underreporting breaches


Forty percent of cyber teams have not reported a cyber incident out of fear of losing their jobs, a new report has shown. This signifies a serious underreporting of cyber breaches globally, cybersecurity company VikingCloud says.

VikingCloud’s research – The 2024 Threat Landscape Report: Cyber Risks, Opportunities, & Resilience – uncovered a serious disconnect between the confidence business leaders are reporting and where their defenses actually stand.

At a glance, the situation looks quite good. Ninety-six percent of companies said they were confident in their ability to detect and respond to cyberattacks in real time.

ADVERTISEMENT

But the numbers tell a much more complicated story and confirm that the consequences of constant stress, fatigue, and talent shortages can be serious – especially as the severity of attacks fueled by artificial intelligence is growing.

No money for staff and technology

For instance, among nearly 170 surveyed cybersecurity professionals in the United States, the United Kingdom, and Ireland, 48% said they were unprepared for attacks against a critical third party, and 40% said they weren’t ready to deal with phishing attacks, either.

Moreover, 53% of respondents admitted that they were unprepared to defend against emerging AI attack methods, and 55% believed modern cybercriminals were more advanced than their internal teams.

Sixty-eight percent of teams would not currently meet the US Securities and Exchange Commission’s four-day disclosure requirement, and 63% spend more than 208 hours per year managing false positives when vulnerabilities are flagged incorrectly – often missing real breaches in the process.

Probably most importantly, 40% have not reported a cyber incident out of fear of losing their jobs. According to VikingCloud’s chief product officer, Kevin Pierce, all this data shows a false sense of security, which could lead to heightened cyber risk.

“Cyber teams are facing major challenges such as the growing talent shortage, new attack methods, and the advancing sophistication of cybercriminals,” said Pierce.

The report says that only 10% of companies have increased cyber hiring in the past 12 months, and nearly 20% of companies say a lack of qualified talent is a key challenge to overcoming cyberattacks.

ADVERTISEMENT

“Although many leaders report confidence in their defensive capabilities, it’s clear this false sense of security is leaving many businesses vulnerable. Teams are trying to do more with less while cybercriminals continue to stay one step ahead.”

Pierce told Cybernews that VikingCloud’s team essentially concluded that “a lot of cyber teams are overburdened” and cannot keep up.

“There’s a shortage of talent, there’s also alert fatigue. It was very clear to us that the number of incidents that are actually occurring is higher than what’s being reported,” he continued.

Indeed, the report says that only 10% of companies have increased cyber hiring in the past 12 months, and nearly 20% of companies say a lack of qualified talent is a key challenge to overcoming cyberattacks.

Thirty-five percent of companies don't have enough budget to invest in new tech, and 32% don’t have enough budget to hire more staff. As a result, 35% of firms thought the technology used by cybercriminals was more sophisticated than the tech to which their team had access.

All eyes on generative AI

Pierce isn’t surprised attacks are underreported over the fear of losing jobs: “Anytime there’s an attack, there could be an effort to blame, and if you’re the day-to-day person who’s managing these events, you could feel like you would be blamed.”

“When we ask companies what tools would be beneficial for them going forward, many are saying that the number one tool or technology would be the one that could assist in alleviating the alert fatigue and the amount of data that they're having to consume,” Pierce added.

According to the expert, without understanding their actual risk status and investing in the right technology, people, and expert partners, companies will become even more susceptible to the latest attack methods.

And these are truly sophisticated. Data shows that companies now have to worry about generative AI model prompt hacking, large language model data poisoning, generative AI processing chip attacks, and GenAI phishing.

ADVERTISEMENT

Many cyber teams are not trained for the emerging GenAI-fueled attacks. VikingCloud found that a third of companies still have not trained their team on GenAI-related cyber risks.

Unsurprisingly, 63% of surveyed cyber professionals said they were looking to implement new technology, and 41% said GenAI had the most potential to address cyber alert fatigue.

“There are two ways cyber leaders can look at advanced technology like GenAI – as a threat or as a weapon. The reality is that it’s both, which makes it essential for businesses to aggressively implement the right solutions to arm their teams and beat cybercriminals at their own game,” Pierce said.

He agreed, though, that advanced AI tools should boost human expertise and critical thinking in cybersecurity rather than replace it because, again, replacing it is unsafe and can be costly in the end – humans still see things that machines can’t.

“AI is not a replacement for humans. AI used independently is a problem but AI augmenting analysts and driving efficiency within teams can be a great tool,” Pierce told Cybernews. “But we have to use AI, it’s just a question whether we’re using it effectively.”

Companies also have no choice, actually. Only 10% of surveyed firms have increased cyber hiring in the past 12 months.

According to the International Information System Security Certification Consortium, or ISC2, a non-profit organization that specializes in training and certifications for cybersecurity professionals, the industry workforce gap is currently standing at about four million workers.