At a cyber-security roundtable in which new research findings from Axial Systems were discussed, Nathaniel Wallis, security specialist said: “In our experience, many businesses do not have any kind of a response plan in place to manage the consequences of a successful cyber-attack on their business. That's despite the fact that many will have already experienced serious cyber-breaches and are likely to experience more in the future. Often, nobody really owns this problem at ‘C' level. There is still a lot of education to be done.”
The survey results were collected from 250 C-Suite members in organisations with over 50 staff.
The survey found that even those directors who said they did have a response plan struggled to provide much detail around it. Many respondents gave basic answers, unlikely to constitute a sufficient response and some expressed a lack of knowledge of the process or argued that they were not responsible and had “a team to handle it”.
More than half (52 percent) of C-Level respondents said that cyber-security is the responsibility of the IT department. Only 35 percent said there was a separate security department in place but, significantly, fewer than half of those said that the department was led by a dedicated chief security officer (CSO) or chief information security officer (CISO).
“The business as a whole should own information security, not the IT department. It should be a board level responsibility. They should be pushing down the requirements and then making individuals accountable. IT are there to implement the procedure or to control and manage it. They are not there to police it,” argued Jason Hart, CTO for the enterprise and cyber-security division of Gemalto.
“IT departments will inevitably be distracted by a host of other challenges which will make it difficult for them to focus sufficient time and expert resource on security issues. By not having a dedicated security team, organisations are potentially putting themselves at even greater risk,” Mike Simmonds, managing director at Axial Systems commented.
C-level directors themselves were revealed to sometimes fail to lead by example. Levels of “transgression” with regards to personal use of business data appear to be much higher among senior directors than among office workers in general.
Nearly half (45 percent) of C-level respondents admitted to having stored company data on a home computer while just 14 percent of office workers surveyed in a parallel poll by Axial (also of employees from organisations with more than 50 staff) confessed to having done the same. Eighteen percent of office workers said they had sent work data to their personal devices for easy access and 41 percent of senior directors admitted the same.
Half of office workers have received no training on cyber-security since joining their current business. Furthermore, many lack a clear understanding of their business's security policies regarding IoT and GDPR.
“Security training within businesses today is essentially not working. There needs to be different types of training for different types of individuals within the organisation. More importantly, the training needs to highlight the potential impact of security breaches to specific individuals,” Hart said.
Only 17 percent of the C-level respondents think their organisation is fully prepared for GDPR and for good reason. Many employees are not well versed in the GDPR implications and dedicated security teams are in short supply. Lastly, despite it being a mandatory requirement of the pending regulation in many cases, 26 percent of C-level directors said their businesses did not have a Data Protection Officer (DPO) in place.
“GDPR was designed really as a ‘minimum specification'. We have to really remember that. It's not the case that the regulation is something that we should aim for. It's more about the authorities stating that this is really the base level standard and if you are more than a ‘hair' off this, you are going to get sanctioned. What organisations should really be saying is here is our baseline, let's try to exceed that, let's excel. You'd hope that every company and every CEO or business owner would always do that, would always say, ‘We are going to go above and beyond.' In reality, of course that's not the case,” said Cal Leeming, CEO of Lyons Leeming.
“Security ultimately needs to be transparent to the individual user. We are a long way from that point today. But there are hopeful signs. The onward march of AI and behavioural analytics is helping drive the process and the move to cloud and microservices will help to accelerate it. Looking to the future, however, if this is to be sustained, we need to see more collaboration between technology vendors and cloud providers and vendors need to make security simpler and easier for users,” Hart said.