02.06.2017 Survey: State of the Cyber Security Landscape
Our global partner, Control Risk, has conducted a major survey on large organisations actions to defend themselves against cyber threat. We present some of the findings here.
Key findings in the report:
- Respondents lack confidence in their board’s ability to manage cyber security threats
- Companies struggle to adopt a risk-based approach
- Third-party breaches are a growing concern
Board's ability to manage cyber security threats
Threats posed by malicious cyber actors are constantly increasing, and new and smarter tools are constantly developed, targeted to attack businesses. Spending to mitigate this has risen, and the issue is no longer treated as a problem the IT-department has to fix. Ownership of cyber risk has reached senior executive level.
Almost half of the respondents believe that the company's board does not take the threats as seriously as they should, while 31 percent say they are very or extremely worried that their business will suffer a cyber attack in next year.
Although 68 per cent of respondents say they have conducted a risk assessment in the past year, 45 per cent say that risk assessments are their biggest challenge. This shows that it is perceived as very important, but it also could indicate that the risk assessments are not sufficiently meaningful to shape an effective strategy and drive change across the company. More worrisome is that 32 percent of the respondents say they have not conducted a risk assessment in the past year.
Around 43 percent of the respondents say they have experienced a malicious cyber attack.
Fear of third-party security breaches
Just about all businesses are dependent on third parties in their supply chain, this creates an extension of the possibilities of being hit by an attack. It is especially risky for those who choose to outsource sensitive parts of the supply chain, such as financial functions, payroll and technology.
35 percent say they have experienced a security breach with a third-party partner. Nine out of ten say they have evaluated third party security, but it may seem that the right measures are not taken. Half of those who respond that they have taken action, says that this only consists of contractual liability clauses.
What to do?
- Make cyber security a regular board agenda and include briefings from the technical team
- Exercise your crisis management also with scenarios related to cyber threats
- Educate your employees on cyber security
- Perform comprehensive risk assessments and take action to reduce the risk and/or the likelihood that this will affect you
- Include third party risk as part of your crisis plan
About the report:
482 IT decision makers are interviewed, both from private and public organizations. The companies all have at least 2000 employees. They are from four continents and 20 countries.