According to EY’s 19th Global Information Security Survey 2016-17 not enough organisations are paying attention to the basics and a lack of executive leadership and support is ‘challenging the effectiveness of cyber security’.
The report looks at the responses of 1,735 CIOs, CISOs and other executives and the results show that global organisations are putting their customers, employees, suppliers and ultimately their own future at considerable risk by not taking this a board level issue.
The report also highlights that not only does the board need to support building cyber resilience, every employee needs to be aware their behaviour could be putting their organisations at risk. Taking a collaborate approach between the board and the employees is more effective in building a company’s resistance it’s “corporate shield.” The report highlights that 55% of respondents rated ‘careless or unaware’ employees as the highest risk to their exposure to a cyber attack.
We are often told that it is not ‘if’ you suffer a cyber attack, but ‘when’, and the likelihood is that you already have been attacked, but are not yet aware. The report’s findings show that 62% of companies would not increase their spending on cyber security if they had experienced an attack, if they did not appear to suffer any harm. This is a serious problem because cyber attackers will often make test attacks before launching a full attack. They will also use one type of attack to act as a diversion to distract companies from the real attack.
The EY report highlights that executive ownership is critical to build cyber resilience, and that a lack of executive awareness and support is challenging how effective a companies’ cyber security is. The survey suggests that about half of boards are not fully knowledgeable but are ‘flying blind’ despite this being the biggest threat that organisations are currently facing. They need to be able to ask tougher questions and to close the gaps. When responding to a cyber attack the board needs to be able to show leadership, and have a cyber incident response plan in place.
The worrying thing about this report, is that year on year we are not seeing significant changes, executives appear to be aware of the threats but many do not appear to be taking ownership. The board needs to be able to show leadership when a cyber attack happens, but before this they need to show leadership in driving this down through their organisations.
Read more at EY’s 19th Global Information Security Survey 2016-17