A recently published global survey of C-Suite level executives and IT Decision Makers (ITDMs) revealed a large gap in assessments of cyber threats, costs and areas of responsibilities. Among the most significant disconnects:
- 80% of the executives surveyed in the U.S. believe cybersecurity to be a significant challenge facing their business, while only 50% of ITDMs agree.
- ITDMs estimated the average cost of a cyber breach at $27.2 million, much higher than the average $5.9 million cited by executives.
- 50% of the executives surveyed believe the reason why an attack on their organization would succeed would be due to human error of employees, compared to 31% of ITDMs.
The research shows there is a lack of understanding when it comes to the cost of a successful breach, which many underestimate. It isn’t just about what the thieves get away with. A successful cyber attack can have far reaching implications such as impacting share price, lost business, fines — even a failed strategic investment or merger.
Sponsored by Accenture
Safeguarding your company in a complex world.
Gaps between the strategic visions of the C-suite and the real-world experiences of IT specialists should not be a surprise. They may think differently about the nature of cyber risk and of the way threats translate into business and technological risks. This is largely due to their priorities — C-suite executives have responsibility for mitigating business risk, while IT delivers the technological support that drives the business.
The most common area of agreement between these key groups is that danger lurks in cyberspace. Sixty percent of C-Suite executives and 66% of ITDMs think their businesses will be targeted for a cyber attack in the next 12 months, and both groups report that they expect the frequency and severity of attacks to increase. This is confirmation that the threat from cyber attack is now just part of the day-to-day reality of doing business in a hyper-connected world.
Organizations that take cyber security seriously should implement best practices that will help reduce the disconnects and ensure effective cyber risk management. Among them:
- Include the C-suite in incident response table-top exercises so they fully understand their roles, and all the possible costs of an attack. Having firsthand experience of an attack, even a simulated one, means the C-suite will gain awareness that’s vital to driving a top-down security-focused culture.
- Educate both groups — and all employees — on the need to understand their organization’s cyber exposure and how attackers can exploit information they gather from reconnaissance efforts to craft targeted attacks. It should be more than a theoretical exercise, using real examples of what can be found about the organization. For example, customer details including login credentials and account information is often for sale on the dark web. This information can be leveraged by attackers to create synthetic IDs that are often used to enable cyber crime.
- Introduce a forward looking, strategic approach to cyber defense to deal with the reality of the likelihood of cyber attacks. This strategy must capture an appropriate balance between tools, people and processes. There is no silver bullet when it comes to protecting critical assets and technology cannot be counted on alone. You can have the latest and greatest technology in place, but it can still be vulnerable if you don’t have the right people with the correct skills as well. Furthermore, operating procedures need to be well defined and expressed to get the most from the technology. For example, security teams need to have enough bandwidth to investigate alerts that are being generated – and simply turning up the alerting threshold and thereby reducing the number of alerts is not a good way to deal with a lack of bandwidth.
- Exploring the use of automation, where possible, in operational processes is becoming a focus as security professionals look to maximize what they can do with existing resources. To triage efficiently, security teams need as much context as possible to ascertain if an alert is important or not. This context includes internal as well as external data, such as threat-intelligence, which can provide broader context on attack groups’ tools, tactics and procedures.
- With the continued risk of ransomware attacks, IT teams must implement an appropriate back up strategy to help mitigate the impact of these attacks. If valuable data is lost because it was encrypted by ransomware, backups can be used to restore the data without the need to pay the ransom. Data needs to be stored in protected locations to ensure that it isn’t encrypted during an attack. This back up strategy needs to be part of an organization’s broader Incident Response plan, which should capture in detail what would be done to contain and then recover from a ransomware attack.
- Assume that at some point your organization will be breached. Review your ability to detect and respond to threats inside your network and on your endpoints. New security initiatives should focus on reducing the time it takes to discover and then contain and remediate unwanted activity on your systems. It is now broadly accepted by security thought leaders that only looking for patterns of nefarious activity derived from previously seen attacks is not sufficient to detect well-crafted targeted attacks that are likely not to have been seen before. To reduce the time it takes to detect unwanted activities in IT systems, organizations now need to evaluate the use of additional detection techniques. For example, hackers often establish command and control channels to direct their attacks. Finding these channels is crucial to uncovering unwanted activities.
As the threats evolve, it isn’t just about tracking known threats, but taking a proactive approach and working to understand new, unknown cyber threats.