A new survey of business leaders in the U.S., U.K. and Germany found many major cyber incidents from the past few years went unnoticed by the majority of respondents.
CA Veracode commissioned a report to investigate the level of understanding and breach awareness among managerial and board-level directors and executives at companies around the globe. The survey received responses from 1,403 business leaders — including owners, partners, chairpersons, chief executives, managing directors, and other board or senior-level managers and directors — the majority of whom were located in the U.K. (653) and U.S. (506), with some respondents from Germany (244).
The results were stark, with only one major cybersecurity incident since 2013 with breach awareness above 50% — the Hillary Clinton email scandal (68%). Fewer than 50% of respondents said they had heard of NotPetya (15%), Heartbleed (17%), the Office of Personnel Management (OPM) (18%), Equifax (28%), Target (32%), WannaCry ransomware (34%), the CIA Vault 7 leak (46%) and Yahoo (46%).
Yvette Connor, chief risk officer at Focal Point Data Risk in Tampa, Fla., said the low levels of breach awareness were not “surprising at all.”
“We are facing a crisis in cybersecurity. For too long, companies and boards have viewed cybersecurity as a technology issue ending with CIOs and CISOs, or as a compliance matter driven by auditors,” Connor told SearchSecurity. “The role of oversight at the board level needs to evolve. It is not about the board needing to know all about issues like Apache Struts vulnerabilities, but rather these leaders asking hard questions about how preparedness and risk mitigation are being handled and pressing for qualitative information on progress.”
Other experts agreed. Jim Ivers, vice president of marketing for the software integrity group at Synopsys Inc. in Mountain View, Calif., said, “Security is all too often an afterthought or a reactionary exercise that kicks in when business gets disrupted or an incident hits close to home. If it isn’t affecting, or at least threatening, the bottom line in a tangible way, it won’t impact day-to-day decision-making.”
James Plouffe, lead solutions architect at MobileIron in Mountain View, Calif., was surprised at the low breach awareness of certain incidents.
“It’s somewhat understandable that breaches like Equifax, OPM and Target have lower awareness insofar as they affect mostly North American companies and people. But NotPetya and WannaCry had global reach, and while the Vault 7 breach affected primarily the U.S. government, the disclosure of those tools has global implications,” Plouffe told SearchSecurity.
Cyber incidents leading to inaction
Beyond being unaware of breaches, CA Veracode noted in its report, “Securing the Digital Economy,” that “nearly half of business leaders [stated] that none of the high-profile cyberattacks had caused them to rethink their approach to cybersecurity,” and one-third of British and German business leaders reported that their businesses [did] not plan to take any steps to improve overall cybersecurity in the next 12 months.”
Yvette Connorchief risk officer at Focal Point Data Risk
U.S. respondents didn’t fare much better, as only one in 10 cited the Target breach, the JPMorgan Chase breach, the Yahoo data breach and the Equifax data breach as “cases that had caused their organizations to rethink cybersecurity.”
Travis Smith, principal security researcher at Tripwire in Portland, Ore., said executives didn’t need to be briefed on all the latest cybersecurity incidents, but they should have basic breach awareness for attacks on organizations similar to their own.
“If your competitor is under attack by cybercriminals, you’re either next or you were the previous victim. However, for individual vulnerabilities or malware families, the CIO is probably the highest executive who needs to be aware of such information,” Smith told SearchSecurity. “The best advice for IT administrators is to understand your infrastructure and your market to determine what your risk profile is. If a new vulnerability or cyberattack hits the news cycle, which could ultimately affect your business, then run that information up the chain to get the appropriate exposure. Remember, though, that executives want solutions, rather than problems.”
Plouffe said IT can often have trouble communicating security issues because “it’s vitally important to address the risks without seeming alarmist.
“The folk tales of Henny Penny/Chicken Little or The Boy Who Cried Wolf are instructive: If everything is an emergency, then nothing is an emergency,” Plouffe said. “Superficially, things like Heartbleed and the Apache Struts vulnerability may seem equally catastrophic, but while virtually every company probably had some implementation of OpenSSL that could be affected by something like Heartbleed, not every organization uses Apache Struts. IT and infosec practitioners need to be able to give frank, accurate, and comprehensible appraisals of what the real risk is and how to mitigate it.”
Connor said breach awareness throughout the executive suite is important, because “technology touches everything, so technology and cybersecurity risks require a truly collaborative effort.
“It is imperative for leaders across human resources, legal, facilities and other functions to have an active seat at the table in these dialogues,” Connor said. “These stakeholders need to understand their role in security and how they can do their part — in both defining risks and confronting them as a team.”