Despite attention-grabbing headlines about cyber-threats from external attackers, company bosses in fact see their own employees as the greatest threat to corporate data and computer systems.
That is the view of 53% of respondents to ‘Boardroom Cyber Watch 2013’, an international survey of senior executive opinion conducted by IT Governance, the global leader in IT governance, risk management and compliance expertise.
The threat from employees was ranked ahead of risks from criminals (27%), state-sponsored cyber-attackers (12%) and competitors (8%) by an international sample of 260 board directors, IT directors and other technology professionals polled by IT Governance in April and May 2013.
The survey confirms the high level of cyber-threat facing today’s organisations, with 25% of bosses saying they have received a ‘concerted attack’ in the past 12 months. However, the true total may be higher, as over 20% are unsure if their organisation has been subject to such an attack.
However, many board directors still appear inadequately informed about cyber-risks. While a majority of respondents say their board receives ‘regular’ reports on the status of their organisation’s IT security, 52% say that such reports are received, at best, annually. Only 5% say reports are submitted daily, with 11% being submitted weekly and 33% monthly.
Furthermore, despite cyber-threats potentially impacting many mission-critical business operations, only 30% of respondents say an understanding of current IT security threats is a prerequisite for board-level job candidates.
Alan Calder, Chief Executive of IT Governance, says: “In the face of the rapid development and deployment of new cyber-threats, such infrequent executive oversight of IT security status seems alarmingly casual. Companies are not ignorant of the risks: 77% of bosses told us their organisation has a method for detecting and reporting attacks or incidents. However, in the boardroom, many companies still appear too removed from the action for directors to meet their governance obligations.”
This lack of insight perhaps explains why boardrooms find it difficult to judge how much they should be investing in cyber security measures. A significant minority – over 40% – of respondents say their company is either making the wrong level of investment or are unsure if their investment is appropriate. A quarter of respondents admit to having lost sleep about their cyber security in the past year.
Yet the survey reveals the competitive advantages that flow from effective information security. Fully 74% of respondents say their customers prefer dealing with suppliers with proven IT security credentials, while 50% say their company has been asked by customers about its information security measures in the past 12 months.
Calder says: “The best way for organisations to prove their cyber security credentials is to comply with, and be certificated against, ISO 27001, the global best practice standard for information security management. This lets you signal to customers anywhere in the world that you have a robust method for addressing the entire range of risks associated with systems, people and technology.
“ISO 27001 is no secret: 87% of our respondents tell us they are aware of it. However, only a tiny minority of businesses have so far been certificated to the standard, so most are denying themselves an advantage their customers are telling them they want.”