Nearly a third of C-Level directors surveyed across the UK (32%) either do not have a response plan in place to manage a cyber-attack on their business, or they are not sure whether they do.
That’s the finding of a new poll of 250 C-suite members in organisations with more than 50 staff. The survey was carried out by Maidenhead, UK-based Axial Systems in the first quarter of 2017.
Mike Simmonds, managing director Axial Systems commented: “Businesses are starting to wake up to all the messages we see out there in the marketplace around cyber-preparedness. However, our survey reveals that there is much more work to do. Every organisation should have some sort of a cyber response plan in place – and senior directors within a business should certainly be aware of whether or not such a plan has been prepared. That’s clearly not the case currently.”
In line with this, the survey found that even those directors who said they did have a response plan struggled to provide much detail around it. Many respondents gave basic answers, unlikely to constitute a sufficient response to a real attack such as ‘we have back-up help’ or we ‘keep firewalls and anti-virus up-to-date’. Some expressed a lack of knowledge of the process, while others argued that they ‘have a team to handle it’ or that they ‘call in an expert’.
The Axial survey indicates that part of the issue for the C-suite may be a lack of dedicated support from within the organisation. More than half (52%) of C-level respondents said that cyber-security is the role of the IT department. In total, just 35% said there was a separate security department in place but significantly less than half of those respondents said that that department was headed up by a dedicated chief security officer (CSO) or chief information security officer (CISO).
“This chimes with our own experience in engaging with businesses at Axial,” added Simmonds. “IT departments will inevitably be a distracted by a host of other challenges which will make it difficult for them to focus sufficient time and expert resource on security issues. By not having a dedicated security team, organisations are potentially putting themselves at even greater risk.”
The survey also reveals that C-level directors themselves sometimes fail to lead by example. Levels of ‘transgression’ with regards to personal use of business data appear to be much higher among senior directors than among office workers generally.
In all, 45% of the C-level sample admitted to having stored company data on a home computer. This compares with just 14% of office workers surveyed in a parallel poll conducted by Axial (also employees of organisations with over 50 staff) confess to having done the same. Similarly, 18% of office workers said they had ‘sent work data to personal devices for easy access’ – just underhalf the proportion of senior directors (41%) admitted to doing this.
The survey raises concerns whether those at the top of business are really passing on the message around key security concerns and best practice approaches to more junior employees. 50% of office workers have not received any training at all on IT/cyber-security since joining their current business – and many lack a clear understanding of their business’s security policies around IoT and GDPR.
Given this backdrop, it is perhaps unsurprising there is so much speculation across the business world about how well prepared businesses are for General Data Protection Regulations (GDPR). Just 17% of the C-level sample in the survey think their organisation is fully prepared and there is good reason for that low figure.
Many employees are not well versed in the implications, dedicated security teams are in short supply, and perhaps most concerning of all, says Axial, more than a quarter (26%) of C-level directors said their businesses did not have a Data Protection Officer (DPO) in place – even though having one is, in many cases, a mandatory requirement of the pending GDPR regulations.
Head of Sales at Axial Systems, Paul Brett, commented, “Prevention is always better than cure when it comes to cyber-breaches. It is always cheaper to solve the problem up front as opposed to afterwards. After the event, you will have to pay for a new solution anyway but you are also likely to have to deal with loss of revenue, loss of customers, reputational damage and maybe even share price impact. Depending on the nature of the breach, it may take years for the business to recover, if indeed it ever does.“
Cal Leeming, CEO at Lyons Leeming said, “GDPR was designed really as a ‘minimum specification’. We have to really remember that. It’s not the case that the regulation is something that we should aim for. It’s more about the authorities stating that this is really the base level standard and if you are more than a ‘hair’ off this, you are going to get sanctioned. What organisations should really be saying is here is our baseline, let’s try to exceed that, lets excel. You’d hope that every company and every CEO or business owner will always do that; will always say: ‘we are going to go above and beyond’. In reality, of course that’s not the case.”
“It took me four years training as an engineer and then more by excellent mentors on the business side before I fully understood the business implications of cyber-threats. That’s key because cyber-security is not a technical problem, it’s a business risk problem.
The volume of cyber-security breaches that we see in the market today is starting to desensitive people to the gravity of these incidents. That’s a big issue. People are just so used to hearing news stories about leaks that they are increasingly unaffected by them.”
According to Jason Hart, CTO for the Enterprise & Cyber Security division of Gemalto, “The business as a whole should own information security not the IT department. It should be a board level responsibility. They should be pushing down the requirements and then making individuals accountable. IT are there to implement the procedure or the control and manage it. They are not there to police it.”
Hart added, “Security ultimately needs to be transparent to the individual user. We are a long way from that point today. But there are hopeful signs. The onward march of AI (artificial intelligence) and behavioural analytics is helping drive the process and the move to cloud and microservices will help to accelerate it.
Looking to the future, however, if this it to be sustained, we need to see more collaboration between technology vendors and cloud providers and vendors need to make security simpler and easier for users.”
“Security training within businesses today is essentially not working. There needs to be different types of training for different types of individuals within the organisation. More importantly, the training needs to highlight the potential impact of security breaches to specific individuals. Training must never be conducted in isolation. The learning points need to be aligned with the business culture of the organisation.”
“I’ve been involved in GDPR for a number of years. The bottom line is people are still very confused about the regulation. They feel it is complicated. They don’t understand what it is trying to achieve. People often say ‘Well, I’m PCI compliant; I have ISO 27001 certification. I don’t understand the linkage or the additional need.’ Most people I speak to are not even aware that GDPR is coming downstream. So I think as UK PLC, we have done quite a bad job of getting the message out there,” Hart concluded.