C-Level Execs Concerned About Cybersecurity, But Not Investing in It

C-Level Execs Concerned About Cybersecurity, But Not Investing in It
C-Level Execs Concerned About Cybersecurity, But Not Investing in It

Cybersecurity concerns C-level execs more than concerns over their companies’ reputations. However, many are unwilling to invest to assuage the worries; and many don’t realize that a data breach could be the most costly reputational issue that a company can face.

According to the Fifth Annual Board of Directors Survey from EisnerAmper, there is an ever-increasing concern over cyber-attacks among board members, particularly for public companies and not-for-profit organizations. However, both private companies and organizations with more than $1 billion in revenue felt they were more at risk from cybersecurity/IT than reputation issues.

The recent spate of attacks on a wide range of organizations have exposed vulnerabilities across what were perceived to be insulated corporate and financial infrastructures — and within apps, routers, hardware and websites.

“It proved that cyber-thieves target more than financial and banking information; there is a premium on private communications and other stored data,” the report noted. “It further demonstrated that social media enable these reputation issues to take on a life of their own, both in terms of viral dispersion as well as an uncontrollable timeline, with a footprint that is almost impossible to erase.”

However, the survey also showed a lack of willingness and resources to address the fears.

“Many respondents wrote in that they had no plans — or relatively unsophisticated plans — to protect their reputations [in a cyber-crisis],” the firm said. “Overwhelmingly, C-suite executives and the board were referenced as the go-to resources to execute a plan to preserve a company’s reputation during a crisis.”

Crisis management, which could include plans on how to avert a substantial impact on an organization’s reputation (including social media showdowns developing from any issue and risk listed — and then some), generated concern from only 31% of respondents — garnering a rank even lower than last year, when it included disaster recovery.

And, if the expectation is that the C-suite and/or board members will take the helm during a disaster, the perceived level of knowledge of CEOs and CFOs around cybersecurity — and more importantly, social media — “leaves an observer with an uneasy feeling about how a response would effectively factor in the fallout from these facets of any crises,” the report noted. “Anecdotally, many executives (and board members) readily admit their lack of understanding of new media and cyber issues — two areas in which mere general knowledge can miss the critical nuances necessary for effective strategic and operational decisions.”

Less than 40% of respondents indicated their organizations have a comprehensive enterprise resource management program that is fully implemented; 22% don’t even have a program.

Despite all of these contradictions, most companies continue to feel they are addressing risk either very well or well enough, from a variety of approaches.

“The financial cost and damage to reputation from a cyber/privacy breach is growing exponentially,” said Nancy Brady, director of IT risk services for EisnerAmper, in the report. “Directors have recognized the increasing risk companies face related to cyber/data security. Now they need to roll up their sleeves and, with the companies, address these risks.”

What’s Hot on Infosecurity Magazine?