Despite daily reports of financial losses and reputational damage as a result of cyber breaches, a high proportion of boards are still in the dark as to the current state of their companies’ cyber defences.
This is a key finding of ‘Boardroom Cyber Watch 2014’, the second annual international survey of senior executive opinion conducted by IT Governance (http://www.itgovernance.co.uk/), the global leader in IT governance, risk management and compliance expertise.
Fully 32.5% of those taking part in the survey say their boards receive no regular reports on how their organisation is developing and implementing its cyber defence strategy.
Nevertheless, there are signs of progress, according to the international sample of 240 board directors, IT directors and other technology professionals polled by IT Governance in April and May 2014: while 38% of the respondents who do receive a board report on cyber defences say this information is provided only annually or less than annually, the other 62% receive this at least monthly – up from 48% in last year’s study.
The survey also suggests that the quality of cyber-security reporting to the board is an area requiring improvement, with 21% of respondents believing that their company’s board reports fail to provide the information necessary to take decisions, while another 28% are unsure if adequate information is provided.
An additional area of concern is the quality of communication between the IT function and the board. According to the 2014 survey, approaching a third of respondents (29%) believes that fear of retribution could be discouraging the IT department from fully disclosing details of cyber breaches to top management.
Alan Calder, Founder and Executive Chairman of IT Governance, says: “The lack of boardroom insight into cyber threats revealed by our survey may partly explain the reluctance of some companies to give up outdated security goals. This situation is underlined by the fact that 38% of respondents still say their objective is to prevent all cyber-attacks, an aspiration which will strike many information security professionals as unrealistic or even naive.
“Today, while organisations need to defend themselves against potential attack, they must also accept that some attacks will inevitably succeed. Therefore, an organisation’s cyber resilience is now the critical survival factor – its ability to recover quickly once an attack has taken place. Ultimately, organisations seeking to implement effective cyber resilience need to utilise the best practice approaches offered by international cyber security and business continuity standards, coupled with staff training and other tools.”
Highlighting this sea change, the report reveals that 51% of respondents now accept that cyber security is no longer appropriate to ensure business sustainability, and the inevitability that some attacks will be successful.
Calder says: “Today, increasing numbers of organisations are taking a more pragmatic approach and stating their objective as ‘cyber-resilience’ – the ability of their company to minimise successful attacks and to recover quickly when breaches are suffered.”
Other findings in this year’s survey included the importance of information security to customers. Some 55% of respondents say customers have enquired about their infosec credentials in the past 12 months. This situation contrasts with 50% in the 2013 study, indicating rising demand for documented compliance with best practice standards such as ISO 27001.
Finally, the role played by governments in pushing businesses to demonstrate assurance has been highlighted by the report. Asked if they believed that their country’s government was taking cyber security seriously enough and providing sufficient support for companies to tackle this growing threat, about the same percentage of respondents – 42% – answered yes as no.
Calder says: “Breaking the figures down further, a marked difference of opinion between the UK and the US has come to light, with British respondents revealing more trust in their government’s tackling cyber threats than that of their US counterparts. While only about 28% of Americans expressed confidence in their government, approximately 51% of Britons did so. This endorsement perhaps reflects the recent official launch of the UK government’s 2014 Cyber Essentials Scheme, which aims to help businesses address cyber security and demonstrate assurance.”
‘Boardroom Cyber Watch 2014’ was conducted as an online survey by IT Governance. The 240 respondents represent organisations of all sizes, with revenues ranging from less than US$5m to more than US$500m. The sample is truly international: while the majority are from organisations based in the UK and United States, respondents from South America, Central Europe, Africa, the Middle East, Asia, Australia and New Zealand also contributed.
A copy of the full ‘Boardroom Cyber Watch 2014’ report is available at http://www.itgovernance.co.uk/boardroom-cyber-watch.aspx.