List: New research reveals how the C-Suite ducks the blame on cyber security.
Cyber security firm Palo Alto has released the results of a survey that took in the views of 765 business decision-makers in companies that have 1,000 or more employees across the U.K., Germany, France, the Netherlands and Belgium.
The results give a fascinating insight both into how firms approach cyber security, and how they manage the risks and assets associated with it.
Commenting on the findings, Greg Day, vice president and regional chief security officer, Europe, Middle East and Africa, Palo Alto Networks said: "The new EU regulations will require businesses to step up their cyber security practices, and this can be an opportunity or a risk, depending on how these businesses choose to approach it. Ultimately, it is critical that managers recognise that, when it comes to cyber security, the onus is on everyone – it’s no longer a dark art but an everyday business practice that must pervade every level of the organisation."
CBR draws out some of the key points from the survey:
1. Managers still think responsibility for security remains in IT…
The research found that nearly half of managers (46%) believe that the ultimate responsibility for protecting their organisation from cyber security risk rests within the IT department.
This is despite a growing appreciation in the business world that the C-Suite needs to take responsibility for cyber security, and an increasing number of executives losing their jobs in the wake of cyber security breaches. Perhaps the most famous example of this is former Target CEO Gregg Steinhafel.
2. …And IT agree
Interestingly, that view of responsibility for cyber security is in fact shared with IT itself. 57% of the department agree that they hold sole domain over a company’s security, the survey found.
This gives an indication that the often criticised siloed approach to cyber security, with all members of a firm not taking responsibility for it, is not actually ending as quickly as many would like.
3. Employees think that their bosses still do not understand the risks
While the survey reassuringly found that the majority of respondents did demonstrate a growing understanding of the cyber risks faced by firms, this is not always seen by employees themselves.
The survey found that 1 in 10 employees still do not believe that the executives or the people who sit on the board at their firm have a relevant or accurate understanding of current cyber security issues. The employees are therefore not sure that the leadership will be able to effectively defend against cyber attacks.
4. Lots still have to Google to understand cyber security
More than 1 in 10 (13%) of C-level respondents said that they only "kind of" understand what defines an online security risk to a business, showing a significant lack of knowledge at the very top of firms.
Indeed, that lack of knowledge is so acute that those C-Level respondents admitted that they also "still have to use Google to help explain it."
5. A Holistic approach still not happening
Cyber security experts are increasingly talking about a holistic, rounded approach to cyber security, but this does not seem to be happening in reality.The survey revealed that 25% of companies currently measure the effectiveness of a cyber security policy by the number of incidents that have been blocked as a result of it.
Time is also a still a critical factor in judging cyber security success, with 21% of respondents referring to how long it took an issue to be resolved in judging effectiveness, and 13% monitor the length of time since the last incident.
As a result of the findings Palo Alto recommend that firms need a cyber security approach that deals with every part of the attack lifecycle, including dealing with employee awareness. Everyone in the business needs to be aware of the role they play in cyber security, it said.
The firm also said that the tools used to defend against cyber attacks must not only comply with regulations, but also not get in the way of people working efficiently in the way that they want.
It said that to get a more accurate view of risk, pre-emptive and real-time measures, such as an organisation’s ability to monitor all the traffic in its network, should be taken into an account.