Poor board level buy-in hampering cybersecurity of global businesses

20 December 2017 Consultancy.uk 4 min. read
More news on

Cybersecurity remains a key area of concern for businesses globally. However, a lack of board level buy-in and poor communication means fewer than half of all organisations have even completed basic vulnerability assessments, according to a new survey.

With several consulting firms having recently been the victim of data breaches or close calls, cybercrime remains a key concern for businesses, governments and individuals. Increasing numbers of valuable interactions occur within digital spaces, which are often relatively insecure. A variety of attacks continue to damage businesses, while more seriously, some, such as an attack on Ukraine’s power system, saw 230,000 people placed in danger by power shortages.

The scale of an attack can vary considerably, with everything from script kiddies to organised gangs and state actors active in the arena. Defence, mitigation, resilience to attacks vary considerably as well, as some businesses and consumers remain drastically under-prepared.

 Automation on cyber security

In a new report from PwC, titled ‘2018 Global State of Information Security Survey (GSISS)’, the professional services firm explores in how far 9,500 respondents have prepared themselves to resist potential bad actors, particularly the increasing number of automated systems that operate across the wider business environment, from Industry 4.0 to RPAs.

The firm’s survey of businesses that leverage automation, shows considerable concern among respondents about the consequences of a successful attack against their system. 40%, for instance, imagine a disruption of operations / manufacturing, 39% imagine a loss or compromise of sensitive data, while 22% believe a breach could even result in harm to human life.Board level confidence

The research notes, however, that a large portion of the respondents does not have an employee focused security awareness training programme (earlier reports found that employees tend to be a weak line). Meanwhile, 54% do not have an incident-response process in places, which is increasingly pressing for organisations operating with information on EU citizens.

Board involvement

Board involvement remains a key precipitator in wider security implementation, with strong governance and executive buy-in linked to wider strategy success. However, the research found active engagement by 44% of their corporate boards. Board activity is relatively weak in terms of involvement in security policies, at 39%, while their hand in security technologies and review of current security and privacy risks comes in at 36% and 31% of respondents respectively.

Reporting security officers

The principal security officers, tasked with dealing with cybersecurity related planning and incident management, tend to have a relatively broad remit when it comes to reporting. Around 40% report directly to the CEO, while 27% report directly to the board, reflecting a possible information bottleneck to the board. Other areas of report include to the CIO and to the chief privacy officer.

More broadly, there is fragmentation of opinion when it comes to the approach taken by ownership. Many organisations (48%) lack a CISO, CSO or equivalent position, while around 45% report that they employ a chief security officer; and 47% employ dedicated security personnel in general.

Lack of preparation

When it comes to processes that are seen as key to ‘uncovering cyber risks within businesses’, less than half of survey respondents had implemented the strategies. Vulnerability assessments, for instance, had already been implemented at 45% of organisations, while penetration tests have been implemented at 42%. Other processes, like threat assessments and the active monitoring/analysis of information security intelligence were found to be implemented at 45% and 48% of respondents’ organisations respectively.