IT and top execs feel terrible when security is breached, but they are starting to feel even worse now that boards of directors are getting serious about security, even firing CEOs when things go awry. That is exactly what happened to Gregg Steinhafel, CEO of Target when last year a major breach exposed hundreds of thousands of customer credit card numbers.
The New York Stock Exchange (NYSE) Governance Services teamed up with vendor Veracode to get to the bottom of just how seriously security is now taken in the boardroom. The quick answer? Very, according to a survey of 200 directors.
According to the ‘Cybersecurity in the Boardroom’ survey, security is mentioned in 80 percent of the board meetings. Despite that, one in five respondents said security only comes up after some kind of breach or event at their company or in their industry.
“Following the slew of major cyberattacks reported in 2014 – the Year of the Breach, according to Forbes – cybersecurity has become a boardroom-level conversation on an unprecedented scale. The resignation of Target’s CEO and CIO following that company’s breach shows that responsibility is no longer being placed solely upon the CISO, but rather across the entire C-suite,” the report said.
The report also mentioned how high-profile vulnerabilities – such as Heartbleed – show the extent to which businesses rely on open-source and third party software even when this hasn’t been properly secured.
Give with the details
Board members are concerned about security because they believe the problem is far from being properly dealt with. “Two-thirds (66%) of the directors we surveyed are less than confident their companies are properly secured against cyberattacks. Given the large-scale breaches that have occurred at major corporations such as Sony, Target, JPMorgan Chase, and Anthem (among many others), it’s not surprising that only 4% of respondents indicated they are “very confident” that their companies are properly secured against attacks,” the report said.
From those polled, it seems like one of the things they are worried most about is the company’s image with 41% saying the consequence they fear most is the impact on the brand. Almost half of those polled also worry about intellectual property theft, which in turn would lead to loss of competitive advantage.
Despite all this angst, directors aren’t pushing aggressively for more security measures “such as requiring stronger passwords or two-factor authentication,” because they don’t want to create an inconvenience to partners or customers.
While there is a lack of confidence in their companies overall ability to stop attacks, there is an overconfidence in the safety of their tools. “More than two-thirds of respondents believe that most or all of their web and mobile applications are assessed for threats before being made available to customers—yet separate studies by SANS and IDG Research show the majority of software applications produced by enterprises are never assessed for vulnerabilities (62%, according to IDG Research),” the duo said.
So are there any quick answers? Not to the overall threat set out there. But there are ways to improve overall understanding. The report concluded that this can be achieved when CISOs combine “their strong technical skills with solid business and communication skills in order to convey security information to the board in terms directors will understand.”
Is it so different in the UK?
Over in the UK security matters seem to take a different turn according to a recent report by Marsh “UK 2015 Cyber Risk Survey Report.” This report revealed that only 11% of companies are buying cyber insurance. However the report also stated that it might be the case that companies use alternative methods when it comes to funding the cybersecurity risk. When it comes to boardroom discussions, the report found that only 19.4% of UK businesses have board-level oversight of cyber risk, and even more worryingly only 18% of organizations have “a complete understanding” of cyber risk while 52.8% have a basic understanding.
The report concluded that a lot of work is still to be done for businesses across the UK to improve on their understanding and management of cyber threats saying, “achieving a high level of understanding is essential as it serves as the foundation stone upon which all other cyber risk transfer and mitigation decisions need to be made.”
Even though 2014 was dubbed as the ‘Year of the breach’ by Forbes, 2015 is looking like it is going in the same, and if not worse, direction. In our Hack Hall of Shame series we have been counting down the top 10 worst hacks and breaches of the month and the amount of good quality data lost from very prominent companies is a definite cause for concern.
With hackers getting cleverer so should businesses and the first step is to recognize the extent of damage – which sometimes goes beyond monetary – that these attacks can cause. As our very own Deb Shinder said in a previous post, “We’re a long way from that utopian secure future. In the meantime, it’s time for us to sit down and come to terms with security.”