Although cybersecurity has become a more prominent issue for executives and boards of directors, three recent benchmark surveys − the BDO Board Survey, the 2015 Consero Group’s General Counsel Data Survey, and the 2015 US State of Cybercrime Survey − indicate that a number of cyber-preparedness gaps remain.
The recently released BDO Board Survey revealed that more than two-thirds (69 percent) of corporate directors report their board is more involved with cybersecurity than it was 12 months ago, up from 59 percent in 2014. However, while BDO found that 70 percent of board members say they have increased company investments in cybersecurity, only 45 percent of corporate directors say their company has a cyberbreach/incident response plan in place. More than 20 percent of board members said they weren’t sure whether their company had such a plan.
These findings parallel a recent survey of Fortune 1000 general counsels. Thirty percent of the general counsels surveyed as part of the 2015 Consero Group’s General Counsel Data Survey reported having experienced a security breach in the preceding 12 months, and 21 percent cited data privacy and security as a top concern and priority − ahead of litigation (19 percent) and mergers and acquisitions (17 percent). Yet more than half (60 percent) of the general counsels surveyed do not feel their company is prepared to defend against a cyberbreach.
According to the Consero Group survey, general counsels face certain realities that drive concerns about data privacy and security, including:
- Increased prevalence of security breaches: In 2015, 30 percent of general counsels responded that their organization had suffered a security breach, up from 23 percent in 2014.
- Lack of cyber-preparedness: Sixty percent of general counsels surveyed do not feel adequately prepared to appropriately address a data security incident.
The general counsels’ concerns identified by the Consero Group are consistent with executives’ concerns reported in the 2015 US State of Cybercrime Survey conducted by PwC, CSO, the CERT Division of the Software Engineering Institute at Carnegie Mellon University and the United States Secret Service. The 2015 Cybercrime Survey aggregated responses from more than 500 business executives, law enforcement, and government agencies. Specifically,
- Increased cyberattacks: The behavior of threat actors has become increasingly egregious, and their attacks can be progressively more destructive. Attackers impacted more records in 2014 (over one billion) than ever before.
- Narrow spending focus: One out of two respondents do not conduct periodic security awareness and training programs, a reflection of budget priorities. However approximately one out of two respondents said adding cybersecurity technologies is a spending priority – in contrast to only 15 percent saying that redesigning processes is a priority and only 33 percent prioritizing adding new skills and capabilities – event though employee training is necessary to maximize the success of technology investments.
- Minimal board involvement: Only 25 percent of persons surveyed said that their full Board was engaged on cyber-risk issues, yet 30 percent of respondents said that no Board committees or members were engaged on cyber risks.
- Narrow board focus: Forty-two percent of boards see cybersecurity as a corporate governance issue, though 49 percent of boards treat cybersecurity as an issue applicable to the whole business enterprise.
- Insufficient third-party management: Up from previous years, in 2015, 62 percent of respondents said they evaluate the security risks of third-party partners and 57 percent said they do so for contractors, though only 42 percent said they consider supplier risks.
What you can do – key protective steps
While there are a number of steps executives and boards can take to ensure preparedness, based on these surveys, companies should, at a minimum:
- Develop, implement and test security incident response plans. Planning for a security incident is a key part of the NIST Cybersecurity Framework, which notes that “investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to the delivery of services.”
- Implement an employee training program. Employee training is especially important, given the recent rise of social engineering attacks such as phishing designed to manipulate unwary employees.
- Audit and address your third-party risks. A number of recent high-profile breaches began with attacks on third-party vendors. Moreover, regulators are becoming increasingly interested in ensuring that contracts with third parties address cybersecurity risks. For example, a new law in Connecticut (S.B. 949) that went into effect this year requires entities that contract with the state of Connecticut and receive “confidential information” to “[i]mplement and maintain a comprehensive data-security program for the protection of confidential information.” Confidential information is defined to include name, date of birth, mother’s maiden name, motor vehicle operator’s license number, and Social Security number, among other types of personal data.