C-Level Execs Concerned About Cybersecurity, But Not Investing in It

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infosecurity-magazine.com/view/39492/clevel-execs-concerned-about-cybersecurity-but-not-investing-in-it/


Cybersecurity concerns C-level execs more than concerns over their
companies’ reputations. However, many are unwilling to invest to assuage
the worries; and many don’t realize that a data breach could be the most
costly reputational issue that a company can face.

According to the Fifth Annual Board of Directors Survey from EisnerAmper,
there is an ever-increasing concern over cyber-attacks among board members,
particularly for public companies and not-for-profit organizations.
However, both private companies and organizations with more than $1 billion
in revenue felt they were more at risk from cybersecurity/IT than
reputation issues.

The recent spate of attacks on a wide range of organizations have exposed
vulnerabilities across what were perceived to be insulated corporate and
financial infrastructures — and within apps, routers, hardware and websites.

“It proved that cyber-thieves target more than financial and banking
information; there is a premium on private communications and other stored
data,” the report noted. “It further demonstrated that social media enable
these reputation issues to take on a life of their own, both in terms of
viral dispersion as well as an uncontrollable timeline, with a footprint
that is almost impossible to erase.”

However, the survey also showed a lack of willingness and resources to
address the fears.

“Many respondents wrote in that they had no plans — or relatively
unsophisticated plans — to protect their reputations [in a cyber-crisis],”
the firm said. “Overwhelmingly, C-suite executives and the board were
referenced as the go-to resources to execute a plan to preserve a company’s
reputation during a crisis.”

Crisis management, which could include plans on how to avert a substantial
impact on an organization’s reputation (including social media showdowns
developing from any issue and risk listed — and then some), generated
concern from only 31% of respondents — garnering a rank even lower than
last year, when it included disaster recovery.

And, if the expectation is that the C-suite and/or board members will take
the helm during a disaster, the perceived level of knowledge of CEOs and
CFOs around cybersecurity — and more importantly, social media — “leaves an
observer with an uneasy feeling about how a response would effectively
factor in the fallout from these facets of any crises,” the report noted.
“Anecdotally, many executives (and board members) readily admit their lack
of understanding of new media and cyber issues — two areas in which mere
general knowledge can miss the critical nuances necessary for effective
strategic and operational decisions.”

Less than 40% of respondents indicated their organizations have a
comprehensive enterprise resource management program that is fully
implemented; 22% don’t even have a program.

Despite all of these contradictions, most companies continue to feel they
are addressing risk either very well or well enough, from a variety of
approaches.

“The financial cost and damage to reputation from a cyber/privacy breach is
growing exponentially,” said Nancy Brady, director of IT risk services for
EisnerAmper, in the report. “Directors have recognized the increasing risk
companies face related to cyber/data security. Now they need to roll up
their sleeves and, with the companies, address these risks.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!