... in the EXECUTIVE SUITE
While there appears to be growing recognition of the scale of the Cyber threat among business leaders – for example, the World Economic Forum 2018 Global Risks report ranked Cyber attacks and Data fraud and theft respectively the third and fourth most likely risks (after Extreme Weather Events and Natural Disasters, but ahead of Terrorism and Infectious Diseases) – the number of breaches and their economic impact continues to increase.
So whilst Boards and senior leaders may be growing increasingly aware of the critical importance of Cybersecurity, to date this is not matched by a more profound appreciation of what constitutes effective Cybersecurity in practice.
This is borne out by some of the findings of E&Y’s 2018-19 Global Security Survey of 1400 executives. For example, while two thirds of participants said that their organizations would increase their Cybersecurity budget in the coming year, the survey also found that:
77% of organizations continue to operate with only limited Cybersecurity and resilience.
61% of respondents said their Boards/management teams had insufficient understanding of information security to fully evaluate Cyber risks and preventive measures.
In 60% of organizations the person accountable for information security is not a member of the Board or Executive Management. Most frequently (in 40% of organizations) it is the CIO who has responsibility for information security.
These results indicate that there remains significant naivety about the realities of Cybersecurity among senior executives, such that they continue to see it as essentially a technology issue which is best addressed by the IT Department. But whilst clearly technology has a major role to play as one of the key lines of defence against Cyber threats, by focusing their attention on this organizations frequently neglect the human aspect of Cybersecurity, and the vulnerabilities that arise from poor Cybersecurity ‘hygiene’ on the part of employees, with as many of 90% of breaches involving some degree of human action or error.
On top of this, evidence suggests that this technology-led approach is meaning that many organizations are using their available Cybersecurity resources poorly, by investing in ever more sophisticated technical defences (often in response to the latest incident reported in the media), but failing to provide adequate training to employees to embed the good Cybersecurity hygiene that provides another essential layer of defence. This is of course to be expected if the IT Department is the accountable party – given their focus on IT, their first inclination is very likely to be to look for IT-based solutions.
Ultimately, what is needed here is for Boards and senior executives to increase their understanding of Cybersecurity. Whilst they may not need to become deep technical experts, they do need to know enough to understand the real nature of the threats, and be able to take an informed view of how the organization should best respond to them. Moreover, senior executives should also recognize that because of their positions, they themselves are frequently the target of the hackers’ attentions, and so it is particularly important that they also observe good Cybersecurity hygiene.
Ultimately, raising Cybersecurity awareness is something which extents to the Board Room and the Senior Management suite every bit as much – if not more so – than the rest of the organization.