Given the significant consequences that face board members in breached organizations, you might expect that they are giving cybersecurity their full attention – but are they?
Our recent survey with research and consulting firm Ovum sheds a revealing light on this.
Do they think the problem will go away?No one is expecting cyber-attacks and breach attempts to stop, and only 1% of respondents think that levels of attack will go down in the coming year, while 62% expect the rates of attack to increase. This reflects recent experience in their own organizations, 60% have experienced an increase in attempted data breaches in the past year, 24% of those polled have seen attempts increase in volume by more than 25%.
Verdict: Not complacent – they recognize that cyber threat is on the increase.
Are they investing enough to fight cybercrime?Although 62% of organizations expect cybercrime attack rates to go up, only 48% expect investment in cybersecurity to increase this year. There were pockets where very few expect investment to increase; for example, UK retail and e-commerce respondents had particularly low expectations, with only 30% expect increased investment. Size of organization also has an impact — only 37% of those with 500 -1,000 employees expect increased investment, whereas 64% of those with over 10,000 employees do.
While spend is not a definitive indicator of focus, we would expect greater investment levels.
Verdict: Complacent – particularly in smaller organizations or certain industries/countries.
Are the board taking enough responsibility for cybersecurity?The C Suite security and IT executives we asked certainly think so. 84% report that senior management at their organization have enough focus on preventing breaches.
However when we look more closely at the role played by board members in security strategy, it’s not so clear cut. 22% report that senior management are either rarely involved in managing cybersecurity strategy or completely delegate responsibility to the IT and security team. Only 59% have a board member responsible for oversight on cybersecurity, however 66% report that they have board-level reporting strategies for highlighting their security status.
Verdict: Not complacent – despite other indicators, 84% say their board does have enough focus on cybersecurity.
Are they over-estimating how well they are tackling cybersecurity?Very few respondents thought that their cybersecurity was below industry average — just 6%. Of the 85% that thought they were at least average, a whopping 25% rated themselves as cybersecurity top performers. As they were rating themselves against average, many are being over-optimistic – a stance that suggests complacency.
In addition, 38% use their own benchmarks and criteria to assess themselves, and 6% don’t carry out measurable assessment. It is reasonable to assume that a lack of objective measurement is helping to create an optimistic view of their cybersecurity situation.
Verdict: Complacent – accurate benchmarking and measurement could stop you falling into this trap!
Do they have a plan for if the worst happens?We looked at two factors here – whether organizations were transferring risk with cyber risk insurance or mitigating it with a tested data breach response plan.
60% of respondents have some level of insurance cover, though only 20% claim that it is comprehensive. Of the remaining 40%, almost a quarter plan to take out cover in the coming year, if they follow through on this, 83% will have some level of cyber risk insurance.
When it comes to having a tested data breach response plan, it’s a little more worrying – 49% of respondents don’t have one. In some countries it’s even worse than that: in the UK only 41% have one and in Canada it’s only slightly better at 44%. The Nordic countries were the most likely to have a tested data breach response plan and Norway came out on top – 62% of organizations polled have one.
Worryingly, around 52% of those with no data breach response plan don’t have cyber risk insurance either. Of course it could be that they have all necessary measures in place to prevent breaches happening, but given the speed of change and variety of attack vectors displayed by cyber-criminals this is a high-risk strategy.
Verdict: Complacent – particularly for those without either insurance or a data breach response plan
So are the C-Suite complacent when it comes to cybersecurity and data breach?
Despite the indications given by this research, to proclaim widespread complacency would be stretching the point. There are certainly pockets of complacency with either some companies being more complacent, or some factors in overall cybersecurity status not being given enough focus in most businesses.
There are two clear learning points:
- Take care in how you assess the cybersecurity of your organization, if possible use objective ways to measure and benchmark.
- Prevention may be better than cure - but no one can say they’ll never be breached and so transfer or mitigation of risk should not be undervalued.
Want to benchmark your cybersecurity status and find out if you’re likely to suffer a data breach in the next year? Find out with the FICO Enterprise Security Score.
This blog is based on independent research carried out on behalf of FICO by research and consulting firm Ovum. This link will take you to a page where you can download the whitepaper ‘What the C-suite Needs to Know about Cyber-readiness’ or one of our ‘Views From the C-Suite’ e-books for the USA, UK, Canada and the Nordics.