lolloj - Fotolia

C-suite executives confused about cyber attacks, survey shows

Key executives need to be more engaged with CISOs beyond planning for security, and take a more active role, according to an IBM study

Business leaders are confused about their true cyber security adversaries and how to combat them, an IBM survey revealed.

Although cyber security is a top concern for 68% of more than 700 executives polled in 28 countries and 75% believe a comprehensive security plan is important, the study found key executives need to be more engaged with chief information security officers (CISOs) beyond planning for security, and take more active role.

The study found 70% of senior executives think rogue individuals make up the largest threat to their organisations – while the reality is that 80% of cyber attacks are driven by highly organised crime rings in which data, tools and expertise are widely shared, according to a United Nations report.

The study found a broad set of adversaries concerned the C-suite. Some 54% of executives acknowledged crime rings were a concern, but gave nearly equal weight of concern to competitors at 50%.

While over half of CEOs agree collaboration is necessary to combat cyber crime, only one third of CEOs were willing to share their organisation’s cyber security incident information externally.

The report said this exposes a resistance to widespread and co-ordinated industry collaboration, while hacking groups perfect their ability to share information in near real time on the dark web.

Read more about data breaches

Criminals develop faster than CEOs

CEOs emphasised the role of external parties, calling for stronger government oversight, increased industry collaboration and cross-border information sharing. The report said this exposed a dichotomy that needs resolution.

“The world of cyber crime is evolving rapidly but many C-suite executives have not updated their understanding of the threats,” said Caleb Barlow, vice-president, IBM Security.

“While CISOs and the board can provide the appropriate guidance and tools, executives in marketing, human resources and finance – some of the most sensitive and data-heavy departments – should be more proactively involved in security decisions with the CISO,” he said.

Barlow said these departments represent prime targets for cyber criminals as they manage some of the most sensitive customer and employee data, manage corporate financials and have access to banking details.

In the study, roughly 60% of chief financial, HR and marketing officers acknowledged that they, and their divisions, are not actively engaged in cyber security strategy and execution. For example, only 57% of chief HR officers said they had rolled out employee training addressing cyber security – a first step in getting employees engaged on cyber security.

Preparing for security incidents

Most respondents said there was some probability their company will experience a significant cyber security incident in the next two years.

According to IBM’s analysis, only 17% of the respondents felt prepared and capable to respond to these threats.

However, IBM said these “cyber-secure” respondents are the most prepared and capable executives, and are twice as likely to have incorporated C-suite collaboration into the cyber security programme, and twice as likely to have elevated cyber security to a regular agenda item at the board level.

According to IBM, for organisations to improve their cyber security, they should:

  1. Understand the risk by evaluating their ecosystem for risks, conducting security risk assessments, developing education and training for employees, and incorporating security into the enterprise risk plan;
  2. Collaborate, educate and empower by establishing a security governance program, empowering the CISO, elevating and regularly discussing cyber security at C-suite meetings, and including the C-suite in developing an incident response plan;
  3. Manage risk with vigilance and speed by implementing continuous security monitoring, leveraging incident forensics, sharing and using threat intelligence to secure the environment, understanding where the organisation’s digital assets reside and developing mitigation plans accordingly, and developing and enforcing cyber security policies.

Read more on Hackers and cybercrime prevention