The majority of senior business decision-makers do not prioritize information security in the list of threats to their organization, a new report from NTT Com Security has found. Out of 800 personnel surveyed globally – all non-IT professionals from large organizations – fewer than one in ten executives view poor data security as the greatest risk to their business. This is despite the fact that 63% expect to be the victim of a security breach.
Attitudes towards the negative effects of security breaches also seem to be conflicted. While almost six in ten insist that a security breach would cause minimal damage for the company, the same number believe that reputational damage would result. A similar number (56%) feel that data loss would cause a decline in customer confidence.
Also concerning is the report’s finding that a quarter of senior executives ‘do not know’ what the financial implications of a breach would be. In addition, 17% feel that there would be no monetary impact. This is despite widespread reports that the costs of data breaches is rising significantly.
“The concern here is whether senior business decision makers recognise the risks to their organisation, as well as understand the value of good data security. There seems to be a worrying level of indifference,” said Garry Sidaway, senior VP security strategy and alliances at NTT Com.
NTT’s report also reveals some worrying attitudes towards the cost of information security. Over one in six are unaware of how much their organization spends on security, and just fewer than one in five view security costs as ‘disruptive’.
The report also highlights a clear confusion in the area of responsibility and accountability for security matters. Over a quarter of respondents rely on their own judgment to determine what is safe behavior, rather than referring to company policy. Only a fifth view security as a joint responsibility between them and the IT team.
NTT Com Security CEO Simon Church emphasized that there is still a reluctance from business decision-makers to concern themselves with technology-related matters. “As an industry, we need to be much smarter at educating businesses about the wider implications of data breaches,” he said.
He added that more should be done to highlight the importance of information security, so that “It becomes an essential part of a company’s overall risk posture and valued as highly as profits and reputation.”