Businesses are reluctant to admit cybersecurity weaknesses because they fear reputational damage – but by choosing to hide their heads in the sand and ignore security vulnerabilities, they're risking more significant damage to their brand if they do get hacked.
Analysis by cybersecurity and bug bounty company HackerOne suggests that almost two-thirds of organisations maintain a culture of cybersecurity through obscurity, hoping that weaknesses and vulnerabilities will remain undetected or simply won't cause issues.
But by choosing to ignore vulnerabilities, organisations are leaving themselves open to cyberattacks and other security issues.
Also: Cybersecurity: Let's get tactical (ZDNet special report)
Unpatched security vulnerabilities are one of the most common weaknesses exploited by cyber criminals to successfully hack networks and software. Even patches for critical vulnerabilities are not applied by many, sometimes for years, giving hackers an easy way in for as long as the updates haven't been rolled out.
Many organisations aren't taking security seriously because boardrooms view it as a hindrance – according to the research, two-thirds of security professionals have been told that taking care of cybersecurity is viewed as stifling innovation.
However, if employees aren't aware of cybersecurity risks and don't have appropriate measures put in place to maintain security, there's the risk they could circumvent best cybersecurity practices.
For example, if employees think that having to log in to enterprise software suites and use the approved collaboration tools is less effective and more time-consuming than using a personal email address for sharing sensitive information, they could inadvertently expose sensitive data.
Almost two-thirds of cybersecurity professionals surveyed say that their organisation has suffered a security breach as a result of staff side-stepping cybersecurity measures, while just a quarter said they're very confident that their staff is following cybersecurity best practices.
The report also warns that developers are often pressured to release insecure products, putting organisations that use potentially vulnerable software at risk of being compromised.
According to HackerOne, it's vital for organisations to commit to more transparency around cybersecurity. "Security could be the difference between winning business and losing it," Marten Mickos, CEO of HackerOne, told ZDNet.
Even if organisations do fall victim to a cyberattack, being transparent about what happened can help improve the reputation of the company. Mickos cites Norsk Hydro, which fell victim to a ransomware attack and was transparent about the entire recovery process as an example of this situation.
"The organisation took the responsibility to ensure frequent and candid communications with customers and the wider public, to keep everyone updated on how events were unfolding," he said.
"Not only did Norsk Hydro maintain customer trust by being transparent about what was happening, the organisation also had the power of exposing key information on the tactics being used by cyber criminals, which is beneficial to the wider industry and other organisations facing growing cyber risks," Mickos added.