Key Takeaways:

• 39% of UK employees and 41% of U.S. staff say they wouldn’t report a suspected cyber-attack.
• Fear of blame, embarrassment, or job consequences drives underreporting.
• Even cybersecurity professionals have withheld incident reports out of fear.
• Human error is the top cause of cyber breaches, but silence amplifies damage.
• Experts call for a cultural shift toward transparency and no-blame reporting environments.

Cybersecurity Starts with Speaking Up—but Fear Keeps Many Employees Quiet

A new wave of research reveals a quiet but dangerous trend in global cybersecurity: employees—both in the U.S. and the UK—are routinely choosing not to report cyber threats, even when they recognize them. This silence can delay incident response, worsen damage, and leave organizations vulnerable to larger breaches.

In the UK, 39% of office workers admitted they would not alert their cybersecurity team if they believed they had been targeted by a cyber-attack. Meanwhile, in the U.S., similar data shows that over 40% of known incidents go unreported to internal leadership. This behavior spans industries, departments, and even cybersecurity teams themselves—40% of security staff admitted to withholding reports out of fear of blame or professional consequences.

Why Employees Stay Silent

The top reasons cited for not reporting a suspected cyber incident include:

• Fear of being blamed or disciplined
• Embarrassment over having fallen for a scam
• Not wanting to create unnecessary disruption
• Belief that IT will detect it without their input

Some even try to fix the issue themselves, despite not having the tools or expertise to contain a threat. These decisions can cost companies dearly. Breaches that go undetected for extended periods—especially those active for over 200 days—can be up to 34% more expensive to resolve than those caught early.

Awareness Without Action

Ironically, employee awareness of cyber threats is at an all-time high. UK workers lead in ransomware literacy, with nearly 80% claiming confidence in identifying a cyber-attack. U.S. employees similarly report high awareness. But this knowledge often fails to translate into action.

The disconnect lies in culture—not competence. Many employees simply don’t feel safe reporting what they perceive as mistakes. In the U.S., up to 88% of data breaches are linked to human error, yet workers often fear retribution more than they fear the consequences of a lingering threat.

Even Security Pros Don’t Always Report

Perhaps most alarming: even members of cybersecurity teams are part of the problem. In some reports, 4 in 10 cybersecurity professionals admitted to staying quiet about incidents they should have escalated. Their reasons echo those of general staff—fear of losing face, fear of being judged, or concerns about career repercussions.

The Cost of Inaction

When cyber threats go unreported, the consequences ripple outward:

• Malware has more time to spread.
• Ransomware campaigns can reach backups and secondary systems.
• Data exfiltration can occur without detection.
• Regulatory penalties increase if breaches are reported late or not at all.

Every hour of silence is an opportunity for threat actors to deepen their impact. What could have been a quick fix turns into a crisis—and all because the first sign wasn’t reported.

Fixing the Culture of Silence

Security leaders agree that the solution begins with changing how companies handle incident disclosures. A few key principles stand out:

Normalize Reporting

Create a no-blame environment where reporting is expected and supported.

Streamline the Process

Make it easy for employees to report quickly—via a simple form, direct hotline, or designated point of contact.

Train with Context

Go beyond awareness campaigns. Educate employees on why speed matters and what steps to take if they suspect a problem.

Reward Transparency

Recognize those who report issues promptly. Encourage peer support, not finger-pointing.

A Shared Global Responsibility

This isn’t a UK problem. It’s not a U.S. problem. It’s a workplace culture issue that transcends geography. Employees who understand threats but feel unsafe reporting them leave organizations exposed. Building a culture of trust, clarity, and action is now a core part of cybersecurity strategy.

Until every employee—from interns to CISOs—feels empowered to raise a red flag, the silent threat will persist.