Cybersecurity firm Proofpoint’s “2022 Board Perspective” finds that while most executive boards are now aware of the risks to their companies from cyber attacks, a worrying amount remain unprepared.
Globally, 65% of board members feel that their organization is at risk of a material cyber attack in the next 12 months. However, 47% also say that their company is unprepared for this eventuality. The sense of preparedness also varies greatly by country, ranging from as many as 72% of organizations feeling unequipped for the task to as few as 12%. There is also great variety by industry, with 23% unprepared at the top (oil and gas) and 62% at the bottom (education).
Cyber attack confidence tied to threat awareness, regulations and remediation approaches
The survey was taken in August and includes responses from 600 board directors at organizations that have at least 5,000 employees. Respondents were from about a dozen different countries and industries, with a roughly even mix of public and private sector. Proofpoint’s marketing indicates that it provides security services to 75% of Fortune 100 companies.
While 65% of the executives surveyed do believe that their organizations will be targeted by cyber attacks in the coming year, there are varying opinions about how serious these attacks will be and how they should be handled. Only 23% of these respondents said that they think cyber attacks are “very likely” to happen, and when filtered just for the responses of CISOs the number of those anticipating a cyber attack drops to 48% and the number that think it is “very likely” drops to 14%. This gap between boardroom and CISO appears to be particularly wide in certain specific industries: financial services, IT and manufacturing, three of the industries that tend to be most heavily targeted.
Board members and CISOs do appear to at least be on the same page as regards the likely sources of cyber attacks. Both see business email compromise (or email fraud) and cloud account compromise as among the top three threats to the organization. One area where they diverge is the risk of insider threats, which CISOs see as a top threat but board members rank below a number of other items.
About 35% of executives do not see a material cyber attack as a realistic possibility in the coming year; 47% say that their companies are unprepared for one. Preparedness levels show some very significant variance by country. Respondents in Japan say they are the least prepared (72%), followed by Singapore (62%) and the United Kingdom (58%). Confidence is much higher in the United States, Spain and Brazil, where 86% to 88% of respondents say that their organization’s data is adequately protected from cyber attacks. Though there is variance here by country and industry, across the globe 75% of executives say that they see information protection and data governance as a top priority.
Risk understanding is high, but preparedness still lags
While boards are not always confident (or are errantly overconfident) in their security posture, understanding of the threat landscape appears to be high across the board with 75% of respondents saying that they understand the full systemic impact a cyber attack can cause. This is another area in which there is wide national variance, however, with the leading nations in the high 80s (Brazil, Spain and the UK) and the least confident nations in the mid-50s (Australia and Canada).
The survey responses also raise some questions about whether companies are accurately gauging their readiness levels. For example, 76% of board members say that they feel their employees understand their role in protecting the organization from cyber attacks, and the same amount say that they discuss cyber security issues at least once a month. There is quite a bit of evidence that employees are by and large not fully understanding what they need to do to maintain network security from their end, however, even when regular training is conducted.
90% of organizations now have CISOs, and 73% say that CISOs at minimum make regular presentations to the board. However, only about 50% say that they have regular interactions with the CISO and about 33% say that they only see the CISO when they are presenting to the board. There also appears to be some disconnect in perspective on how smoothly the relationship is functioning: 69% of board members say they see eye-to-eye with their CISOs, but only 51% of the CISOs agreed. This is reflected in the responses to the question of what the most important consequences of a cyber incident are: board members worried most about internal data becoming public and company reputational damage, while CISOs were most concerned about downtime and disruption of regular operations.