US company boards are getting more involved in cybersecurity, but information-sharing of threat intelligence across business communities still lags.
According to BDO Technology Advisory Services’ 2016 Board Survey, a heartening 80% of directors say they have increased company investments in cybersecurity over the last year, with an average budget expansion of 22%.
And, 74% of public company directors report that their board is more involved with cybersecurity than it was 12 months ago.
This is the third consecutive year that board members have reported increases in time and dollars spent on cybersecurity; and, the survey identified improvements in the number of boards with cyber-breach response plans in place (from 45% to 63%).
"Over the past three years, the BDO Board Survey has documented the ascension of cybersecurity up the boardroom agenda,” said Shahryar Shaghaghi, BDO Technology Advisory Services national leader and head of International BDO Cybersecurity. “Corporate directors are being briefed more often and are responding with increased budgets to address this critical area.”
But despite that good news (and despite CISA and Presidential Policy Directive 41), threat-intelligence sharing hasn’t taken off. Just 27% are sharing information on cyber-attacks with entities outside of their business. A slightly smaller number (24%) say they do not share the information and approximately half (49%) weren’t sure.
Among those who do share cyber-information, the majority share with federal agencies (88%), followed by ISACs (28%). Only a fifth (19%) share with competitors.
Earlier this year, the White House outlined how businesses can contact relevant federal agencies about cyber-incidents they experience.
“Sharing information gleaned from cyber-attacks is a key to defeating hackers, yet just one-quarter of directors say their company is sharing this information,” said Shaghaghi.
The survey also reveals significant vulnerabilities. Although measurable progress has been made from a year ago, less than half of board members report they have both identified and developed solutions to protect their critical digital assets, and an even smaller proportion indicate they have put cyber-risk requirements in place for third-party vendors – a major source of cyber-attacks.
When asked about formal risk assessments of their critical digital assets, almost half (45%) of the directors report that they have completed documentation of their business’s critical digital assets and developed solutions to protect them. This represents a significant improvement from 2015 when only one-third (34%) had completed this task. A quarter (25%) of the board members indicate they have identified their critical digital assets, but a solution strategy is still in process.
Better than a fifth (22%) of board members indicate that their company experienced a cyber-breach during the past two years, the exact same percentage as last year (22%) and double the percentage of 2013 (11%).
Photo © Sarawut Alemsinsuk