- Ministry of Science and ICT releases ‘2025 Information Security Survey’ results
- Underreporting fueled by perception of "insignificant damage" and administrative burden
- Only half of surveyed firms maintain formal information security policie

[SEOUL] A stark reality check has been issued to South Korea’s corporate sector as new government data reveals that nearly seven out of ten companies falling victim to cyberattacks choose to remain silent. The findings highlight a critical vulnerability in the nation’s collective defense against increasingly sophisticated digital threats.

The Silence of the Breached
On March 27, 2026, the Ministry of Science and ICT (MSIT), in collaboration with the Korea Information Security Industry Association (KISIA), published the results of the ‘2025 Information Security Survey.’ The comprehensive study analyzed 5,500 companies with ten or more employees and 3,000 individual internet users aged 12 to 69.

While only 0.2% of all surveyed companies reported experiencing a clear security breach, the response to those incidents was underwhelming. Among the firms that suffered attacks, a mere 31.4% officially reported the incident to the relevant authorities. This leaves a staggering 68.6% of security compromises unaccounted for in official statistics.

Barriers to Reporting: Apathy and Red Tape
The survey delved into why businesses hesitate to come forward. The most common reason, cited by 59.7% of respondents, was the belief that the “damage was not significant enough” to warrant a report. However, experts warn that "insignificant" initial breaches are often precursors to larger, more devastating ransomware attacks or data leaks.

Other significant deterrents included:

Administrative Burden (30.9%): Fears regarding the time and resources required for official investigations and post-incident processing.
Perceived Futility (29.0%): A belief that reporting the crime would not actually assist in the recovery of lost data or assets.
Furthermore, 7.5% of companies admitted they were entirely unaware of security incidents until long after they occurred, suggesting a widespread lack of advanced detection capabilities.

Underfunded and Underprepared
The report paints a somber picture of the general state of corporate cybersecurity infrastructure. Despite the rising frequency of global cyber warfare and industrial espionage, basic security hygiene remains inconsistent:

Policy Gaps: Only 52.6% of companies have an established formal information security policy.
Lack of Manpower: Dedicated security organizations exist in only 35.3% of firms.
Education Deficit: Just 32.7% of businesses conduct regular security training for their staff.
Budgeting: Only 54.8% of enterprises allocate a specific budget for information security measures.

Government Pledges Stronger Support
In response to these findings, the government emphasized the need for a shift in corporate culture—from viewing cybersecurity as a cost center to seeing it as a vital component of business continuity.

Lim Jeong-gyu, Director General of the Information Protection and Network Policy Bureau at the MSIT, stated, "As cyber threats become more sophisticated and automated, it is imperative that the private sector bolsters its primary defense lines. The government will continue to push for initiatives that enhance national information security capabilities and streamline the reporting process to reduce the burden on businesses."

Industry analysts suggest that without mandatory reporting requirements for a broader range of incidents and better incentives for transparency, the "silent majority" of hacked firms will continue to leave the entire national network at risk.