Boards still not grasping cyberthreats, say IT decision makers

Boards still not grasping cyberthreats, say IT decision makers

George Nicholls, Control Risks’ Senior Partner for southern Africa

Key decision makers do not have confidence in their Boards’ ability to manage cybersecurity threats, according to the latest cybersecurity analysis from Control Risks. The global ‘Cyber Security Landscape’ survey of IT and business decision makers found that almost half of respondents reported they believe their organisation’s board-level executives do not take cybersecurity as seriously as they should. This is despite 77% of respondents citing the C-suite, rather than the historic owner, the IT department, as being most accountable for cybersecurity management and decision making in their organisation.

The survey equally found that just over 31% also reported they are very or extremely concerned their organisation will suffer a cyberattack in the next year and a third (34%) say their organisation doesn’t have a cyber crisis management plan in place in the event of a breach. This lack of preparedness is especially striking in the light of the 12th May WannaCry ransom attack, which affected 150 countries in under 12 hours.

Key findings:

Cyberattacks have major long-term effects: 4 in 10 respondents said a cyberattack has resulted in the misuse of sensitive or confidential information. Companies are struggling to adopt a risk-based approach: although companies are now less concerned with merely complying with standards and are focused on actually reducing the risk of a cyberattack, almost half (45%) agreed that assessing and managing these risks is their biggest challenge.

Third party breaches are a growing concern: just over a third (35%) of respondents said a third party cyber breach had affected their organisation and despite nine in ten respondents (93%) taking steps to evaluate their third parties’ cybersecurity measures, 53% said this was confined to contractual measures.

Cyberattacks have major long-term effects: 4 in 10 respondents said a cyberattack has resulted in the misuse of sensitive or confidential information (43%) and a loss of customer information (41%).

George Nicholls, Senior Partner based in Johannesburg at Control Risks commented: “The misalignment between treating cybersecurity as a technological issue or a business risk is not new. Yet, the survey shows that this misalignment remains a considerable and on-going concern for many organisations.”

He continues: “Our advice is to always start with the threat. The way in which cyberthreats are assessed and communicated throughout the business is key. This assessment should include the specific cyberthreats to the organisation, how they could impact the business and what controls might mitigate them. After assessing the risks and understanding them, the organisation can then deal with these within its overall risk management strategy.”

Organisations should ensure cybersecurity becomes a regular item on the board’s agenda that includes reviewing the external cyberthreat landscape in conjunction with IT. Organisations also benefit from regular crisis management exercises that involve all relevant parties including the C-suite, IT, legal, communications and any other members of the crisis management team. These exercises ensure that all parties understand their roles and responsibilities and the potential implications of a cyberattack.

https://www.youtube.com/watch?v=E4IBSdYNYCc&feature=youtu.be

Browse our latest issue

Intelligent CISO

View Magazine Archive