Even though IT professionals often warn their superiors about pending IT security disasters, executive management mostly fails to take action.
According to a survey from Lieberman Software, where IT security respondents were asked about the obstacles they face trying to convince management to proactively deal with cyber-threats, 11% said they couldn’t find a way to give IT a place in the corporate board room; 10% said they couldn’t find budget to rectify the situation; 12% said they couldn’t convince management of the severity of cyber-threats.
Almost half (45%) said all of the above.
“IT security is a companywide issue. Any CEO or corporate board who does not realize this will have a nasty shock when their company is attacked, their share price plummets and they lose customers,” said Philip Lieberman, CEO of Lieberman Software.
Further, a full 92% of IT security professionals believe that cyber security drills are a good way to prepare for cyber-attacks. However, 63% of those surveyed admitted that their organizations never run such drills, or do so only annually. Only 11% of organizations carry out cybersecurity drills quarterly, while 26% conduct them every six months.
“In today’s threat landscape, organizations are attacked continuously,” Lieberman said. “With this in mind, you would think companies would be doing everything they can to limit the damage of potential cyberattacks. However, our study reveals this clearly isn’t the case. And IT teams are fully aware of the consequences.”
The message is clear: corporate boards should learn about the cyber threats targeting their companies, and should have a good understanding of the company’s IT security posture.
“Executive management should assume that intruders are already inside their networks,” Lieberman said. “They should ensure that their organizations can contain cyber-attacks by securing privileged access, and by removing shared and long-lived credentials that intruders exploit to move around the network. This will mitigate damage and protect the company’s reputation when a cyber-attack does occur.”