The culture of silence is becoming a critical security vulnerability in its own right, and it’s growing. According to our recent industry research, more than half (58%) of IT and security professionals in the UK say they’ve been pressured to keep cyber breaches confidential, even when they believed reporting it was necessary.
Across the board, the percentage of professionals experiencing this pressure has jumped 38% over the last two years. In markets like Singapore and the US, that figure now exceeds 70%.
The motivations for keeping silent are familiar: fear of reputational harm, financial impact and regulatory scrutiny, but the consequences can be far worse, particularly when incidents affect customer data, partners or suppliers.
At some point, silence isn’t damage control. It’s complicity.
Beyond the Breach
Too often, the response to a cyber-attack begins and ends with containment: identifying the exploit, closing the vulnerability and getting systems back online. But a breach’s impact extends far beyond the IT security function.
There are regulatory implications, especially under regimes like GDPR or the Digital Operational Resilience Act (DORA), that require rapid disclosure. There are reputational risks, particularly if customers or partners are impacted. There are legal risks if data has been exfiltrated or mishandled.
Perhaps most damaging is the erosion of trust among employees and stakeholders when an organization conceals the truth.
The question isn’t just how to recover, it’s how to rebuild trust. And that starts with transparency.
A Disconnect Between Boardrooms and Reality
There is a growing gap between executive confidence and frontline concerns. While 45% of senior leaders globally describe themselves as “very confident” in managing cyber risk, just 19% of mid-level managers agree.
This divide isn’t just about perspective, it’s about operational blind spots. Leaders may feel reassured by investments made years ago, while frontline teams know those same systems haven’t kept pace with evolving threats.
The risks in cloud infrastructure, identity management or AI misuse are often understood best by the people managing them daily and they’re the ones reporting the lowest levels of confidence.
Unless organizations address this cultural disconnect, no amount of tooling will deliver true resilience.
Attack Surfaces Are Growing and so Are the Pressures
One encouraging shift is the growing focus on reducing the attack surface. Around two-thirds (64%) of UK security professionals are prioritizing this by disabling unnecessary tools, limiting internal access and hardening endpoints.
It’s a warranted focus given that the majority of major cyber-attacks now use legitimate tools already present in the environment, a tactic known as living-off-the-land (LOTL).
But reducing exposure is only part of the picture. Security environments themselves are becoming harder to manage. In the UK, a third of professionals cite solution complexity as their biggest challenge, and almost half are looking to adopt AI tools for advanced threat detection this year.
Extending protection across hybrid environments and navigating regulatory compliance only adds to the burden.
People Are at the Core of Resilience
The cybersecurity skills gap is widening. Nearly half of all professionals say the shortage has worsened in the past year. In the UK, 44% report growing gaps. And with constant pressure, limited resources and rising regulatory demands, burnout is becoming a major concern. Nearly 50% of UK professionals say they’re already experiencing it.
This isn’t just a workforce issue, it’s a security risk.
Understaffed teams working under high stress are more likely to miss warning signs or make critical errors. Worse, they may be unable to keep up with evolving threats, particularly as new tools, platforms and compliance mandates enter the frame.
Investing in security talent, supporting mental wellbeing and rethinking team structures must become strategic priorities, not afterthoughts.
The Perception of AI and the Risk of Overconfidence
Two-thirds of our survey respondents believe AI-driven attacks are on the rise. Over 60% of UK organizations report being targeted by an attack they believe involved AI. Threats like deepfakes, automated phishing and synthetic code are topping the list of business concerns.
Yet this perceived sophistication doesn’t always match reality. While some attackers are using AI tools to refine phishing or troubleshoot malicious code, there’s little evidence of end-to-end malware being created by generative models. The greater risk may lie in misjudging the threat.
For example, nearly three-quarters of professionals believe they can spot deepfakes, but 96% still see GenAI as a significant danger. That contradiction highlights a growing vulnerability: confidence without capability.
The threat isn’t just AI, it’s what we don’t know about how it’s being used, both by adversaries and internally. Shadow AI, the unauthorized use of AI tools and systems within an organization, often bypassing IT oversight and security protocols, may introduce unintentional risks.
Transparency, Not Triage
There is no one-size-fits-all cybersecurity strategy. Every organization has different environments, priorities and constraints. But there are foundational elements that apply across the board.
Cybersecurity resilience begins with people and not just platforms. Investing in talent, supporting their development, and addressing burnout head-on must become non-negotiable priorities. Skilled, informed and empowered teams are the strongest defense against evolving threats.
Within an organization, complexity can be a vulnerability. Streamlining tools and clarifying responsibilities allows teams to address actual risks rather than maintenance overhead.
Training the team on the existent security solutions helps build resilience, while outsourcing security operations via managed detection and response (MDR) reduces stress and alert fatigue, enabling in-house security experts to focus on strategic security actions effectively.
Above all, organizations must create a culture where transparency is expected, not penalized. When breaches are hidden, pressure builds, trust erodes and risk multiplies. Silence doesn’t mitigate damage, it compounds it.