IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Worried business executive modern office dim computer screens warning symbols shadowy cyber threat
#
Data Protection
#
Advanced Persistent Threat Protection
#
Risk & Compliance

UK CISOs under pressure to hide cyber breaches, risking trust

Wed, 10th Sep 2025
Author image
By Shannon Williams, News Editor

UK compliance experts are warning that pressure on Chief Information Security Officers to conceal cyber attacks could result in regulatory penalties and diminished trust among stakeholders.

Recent figures indicate that nearly 70% of UK CISOs are facing pressure to conceal security incidents and breaches. This concern has become more prominent amid increased debate over mandatory cyber incident disclosure, as high-profile figures such as Marks & Spencer chairman Archie Norman have urged stricter reporting rules after two major UK cyber attacks allegedly went unreported in recent months.

Cyber threats are a growing issue for organisations of all sizes. In the past year, 612,000 businesses and 61,000 charities in the UK have reported falling victim to a cyber breach or attack. The average cost for the most disruptive breach has reached GBP £3,550 for businesses, and GBP £8,690 for charities, highlighting the significant financial impact.

Pressures and pitfalls

Vivek Dodd, Chief Executive Officer at compliance training provider Skillcast, has raised concerns about the pressures leaders face and the broader ramifications of incident concealment. Dodd, who has over two decades of experience developing regulatory training and compliance tools, emphasised that discussion should go beyond the question of whether disclosure should be mandatory.

"Amid what feels like a cybersecurity pandemic for UK businesses of all sizes, much of the debate on disclosure has centred on whether companies should be forced to report breaches. What's often missed is why so many incidents are concealed in the first place. The reality is that too many executives and CISOs feel pressured to protect corporate reputation above compliance.
That pressure highlights systemic gaps in cybersecurity compliance training, culture and governance. Boards and CISOs need targeted programmes to understand not just their legal duties, but also the ethical and operational consequences of concealment. Without a culture of transparency, even the strongest frameworks risk being undermined by fear of reputational damage or internal pressure to suppress information."

Dodd's comments follow findings from Skillcast's own research earlier this year. The Careless Clicks report, surveying 200 finance professionals, revealed ongoing risks within organisations. While 82% of respondents believed they had been targeted by cyber attacks and 85% felt confident identifying threats, 59% admitted that they had clicked on a link they later suspected was a phishing scam. One in five said this had happened 'many times'.

Training and transparency

In response to these concerns, Dodd recommends several proactive measures for organisations seeking to address the issue of concealment and improve cyber resilience. These include:

• Training leaders and boards on disclosure responsibilities: Dodd advises that senior executives and CISOs must receive mandatory training to fully understand their legal responsibilities and the ethical imperative for transparency.

• Embedding a culture of transparency: According to Dodd, organisations should work to remove the pressures that lead to concealment, treating compliance as a core corporate value rather than a box-ticking exercise.

• Running regular scenario-based training and drills: Practical simulations and exercises are recommended to help leaders respond with transparency under real-world conditions.

• Tying accountability to training records: Dodd suggests that firms should maintain comprehensive training logs and compliance evidence, demonstrating that all staff are prepared to respond appropriately to incidents.

Dodd reiterated the urgency of adopting these measures in light of current challenges faced by UK businesses:

"This is not the time for complacency. With UK businesses facing tens of thousands of daily cyber attacks, and evidence showing even confident professionals fall for phishing, the risks are growing. Businesses that will thrive are those that act now - embedding transparency as a core value, empowering their people to make the right decisions under pressure, and treating disclosure not as a compliance burden but as a foundation for trust and resilience."

The calls for change coincide with industry demands for stricter cyber incident disclosure rules. In the context of emerging regulatory perspectives and reported underreporting of recent major cyber attacks, the focus remains on transparency, training, and the ethical obligations of business leaders.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
UK unveils Software Security Ambassadors to push new code
Regulatory delays hinder UK tech & AI project delivery
Dun & Bradstreet outlines seven key compliance trends
Cyb3r Operations raises $5.4m to tackle cyber risk
Infobip refreshes leadership team with four promotions

Top stories

Rubrik unveils sovereign cloud to keep sensitive data local
Cloudflare buys Human Native to reshape AI data deals
BT to power easyJet crew devices with eSIM network
Shared Care Record Summit joins Digital Health Rewired
Canon names Peter Saak to lead new EMEA print group