According to a study completed by Pricewaterhousecoopers, 80 percent of cyberattacks could be readily defended against if companies used education, monitoring and a maintained IT infrastructure to combat attacks. An additional 15 percent of attacks could be prevented with a cybersecurity strategy, awareness of the threat environment and an asset identification and protection program.
The amount of attacks by hackers, terror groups, and company insiders have been steadily increasing to the point that the U.S. government has created an entire division to specifically handle cyber crime. At the same time, corporations’ budgets for maintaining security have been shrinking, and many IT structures have been allowed to decay due to economic concerns and greater emphasis on adopting new technology.
Considering how damaging cyber attacks can be, from losing intellectual property to exposing customer’s confidential data, it begs the question why so many business executives are not treating cyber attacks as a serious threat. The PwC survey showed that one third of CEOs do not think that an attack would negatively affect their company, yet 61 percent of consumers say they would no longer use a company’s product after a security breach.
Where is this mindset coming from and what can be done to correct the situation?
1. Lack of Coordination
In many corporations, there is no centralized team or head of security that addresses cyber security and threats. Often this is subdivided among multiple departments such as HR and IT, and with no one in charge of all security measures, these departments often don’t talk to each other or share the information that they have. On top of this, many executives are not keeping tabs on the security measures they have or even how an attack affected their bottom line. According to PwC, 22 percent of CIOs didn’t know how monetary losses due to security breaches had changed over the past year, and 21 percent of CIOs did not know what they were doing to counter cyber threats.
This lack of awareness is possibly one of the biggest threats to corporations because many security breaches may go unnoticed, and without the information on how attacks are affecting their bottom line, many executives will continue to ignore cyber attacks as a significant threat.
2. Lack of Understanding
Another important deterrent to executives investing in security is a lack of agreement and understanding of where the threats lie and the risks they pose to the organization. CSOs tend to see hackers as the biggest threat, while CIOs see current and former employees as the biggest threat to security. This source of disagreement often leads to inaction, rather than addressing the situations that need advanced threat protection. In addition, many executives rely on open source information rather than industry and government sources, which means they are often exposed to inaccurate or incomplete information.
There is also a significant lack of employe training and awareness about cyber security. This is relevant because often the only way to detect an internal attack is if a co-worker or manager notices suspicious activity. In addition, most data lost through internal means is lost unintentionally by employees not trained on security protocol.
Understanding of the threats posed to an organization and training on how to prevent an attack needs to start from the top down and become a major component of training personnel in order to stop these intentional and unintentional attacks.
3. Focusing on Adoption
Business executives love new technology, especially technology that promises to solve a lot of problems like social collaboration or storing data in the cloud. Most employees also have their own surge of personal technology that they bring to work from smartphones to personal laptops. There’s nothing inherently wrong with adopting new technology. In fact, if it benefits the company it should be encouraged, but many executives focus so much on adoption that they fail to think about the security implications of a new system and how to address them.
For example, does a cloud service provider exercise encryption best practices when data is being transferred to the cloud? Employees using a smartphone at work opens up a host of security risks as well, but 30 percent of the companies CwS surveyed do not have a cyber security plan of any kind.
The solution to this is simple. Conducting a threat analysis and outlining a security plan should be an essential component whenever a company adopts any technology, official or personal, that will have access to sensitive information
Contributor bio: Robert Cordray is a freelance writer and expert in business and marketing. With over 20 years of startup experience, Robert is now retired and hopes others can benefit from his writing.