A private Cohesity survey found that office workers in the UK would keep quiet about being targeted in a cyber-attack.
The results came from a survey of 4,500 workers across France, Germany and the UAE that was run to inform marketing strategy. The reasons given by respondents for not revealing a personally directed cyber-attack were that they wouldn’t want people to think it was their fault (17 percent), they don’t want to get into trouble (17 percent) and they are afraid of causing an unnecessary fuss (15 percent). One in ten (11 percent) would even try to fix it themselves rather than seek official help from their employer’s security experts.
According to Olivier Savornin, GVP Europe at Cohesity, “Staying silent if they suspect a malicious cyberattack is quite possibly the worst thing an employee could do, particularly when they claim to know the dangers. This reluctance to speak up leaves organizations in the dark and vulnerable to serious damage to the business.”
Cohesity believes that time is of the essence when dealing with a cyberattack to get back up and running quickly, in a secure state, and with limited impact on business operations and revenues. Savornin said: “We need to create a workplace culture where people feel comfortable raising the alarm and are properly trained on how to recognise a cyber threat and the correct action to take – no matter how small the issue might seem.”
As an example of why this is necessary, the damaging cyber-attack on retailer Marks and Spencer in the UK in April last year has caused a great loss in revenues, with a £300 million ($403 million) operating profit loss, as its online business was taken offline for seven weeks, and is being rebuilt in stages with the process not yet complete 14 months later.
The attack was enabled by a DragonForce ransomware group hacker impersonating an employee, reportedly at M&S contractor Tata Consultancy Services, and gaining unauthorized system access via the M&S help desk. Reports indicate the breach began as early as February 2024, when hackers stole the Windows domain’s NTDS.dit file, containing password hashes for domain users. By cracking these hashes, they accessed the network and deployed ransomware to encrypt virtual machines, disrupting services like contactless payments, click-and-collect, and online ordering.
M&S chairman Archie Norman believes that British businesses should be legally required to report material cyberattacks to the authorities. This should surely apply to all organizations in every country. And that means that staff in these organizations should be encouraged to report cyber-attacks to their security function. That means training, attack simulation training for example, so they can learn how to recognize an attack and reject flaky telephone calls, emails, text and Whats App messages, no matter whom they appear to be from.
Cohesity’s James Blake, Global Head of Cyber Resiliency Strategy, stated: “Our research, conducted by OnePoll across France, Germany, the UAE, and the UK, reveals a worrying gap in cyber resilience. While 68 percent of employees across Europe have received some form of cybersecurity training in the past year, nearly one in three (32 percent) said they have had no exposure to any training or resources whatsoever. That’s a significant blind spot.”
Such employees are “ill-equipped to recognize ransomware phishing emails — let alone understand how to respond appropriately.”
Blake concludes “When it comes to ransomware, people are the weakest link.” An organizational culture of encouraging transparent and timely communication of these threats needs to be established.
Bootnote
Cohesity conducted research amongst full-time office workers to understand their beliefs, knowledge, and behaviour when it comes to malicious cyberattacks including ransomware. It worked with OnePoll to question 4,500 respondents across EMEA (France – 1,000, Germany – 1,000, UAE – 500, UK – 2,000) in May/June 2025. We understand this research is not going to be published externally.
