Majority of board members believe their organization is at risk of a cyberattack, but nearly half feel they are unprepared
Cybersecurity company Proofpoint’s “2022 Board Viewfinds that while most boards are now aware of the risks posed to their businesses by cyberattacks, a disturbing number of people remain unprepared.
Globally, 65% of board members believe their organization is at risk of a significant cyberattack in the next 12 months. However, 47% also say their company is not prepared for this eventuality. Feelings of preparedness also vary widely across countries, ranging from 72% of organizations feeling unequipped for the task to just 12%. There is also a wide variety of industries, with 23% unprepared at the top (oil and gas) and 62% at the bottom (education).
Confidence in cyberattacks linked to awareness of threats, regulations and remediation approaches
The survey was conducted in August and includes responses from 600 directors on boards of organizations with at least 5,000 employees. Respondents came from about a dozen different countries and industries, with a roughly equal mix of public and private sectors. Proofpoint’s marketing says it provides security services to 75% of Fortune 100 companies.
While 65% of executives surveyed believe their organization will be the target of cyberattacks in the coming year, opinions differ on how serious these attacks are and how they should be handled. Only 23% of those respondents said they thought cyberattacks were “very likely” to happen, and when filtered only for CISO responses, the number of those anticipating a cyberattack drops to 48% and the number that thinks it is “very likely”. probable” falls to 14%. This discrepancy between boardroom and CISO appears to be particularly large in specific industries: financial services, IT, and manufacturing, three of the industries that tend to be the most targeted.
Board members and CISOs seem to at least be on the same page when it comes to the likely sources of cyberattacks. Both consider business email compromise (or email fraud) and cloud account compromise among the top three threats to the organization. One area where they diverge is insider threat risk, which CISOs rate as a top threat, but board members rank below in a number of other areas.
About 35% of executives do not see a hardware cyberattack as a realistic possibility in the coming year; 47% say their company is not prepared for it. The levels of preparation show very significant variations from one country to another. Respondents in Japan say they are the least prepared (72%), followed by Singapore (62%) and the UK (58%). Trust is much higher in the United States, Spain and Brazil, where 86% to 88% of respondents say their organization’s data is sufficiently protected against cyberattacks. While there are differences here by country and industry, across the world, 75% of executives say they consider information protection and data governance a top priority.
Understanding of risks is high, but preparedness still lags
While boards are not always confident (or overconfident) in their security posture, understanding of the threat landscape appears to be high across the board, with 75% of respondents saying they understand the full systemic impact that a cyberattack can have. This is another area where there is, however, great national variance, with the most advanced nations in the 80s (Brazil, Spain and the UK) and the least confident nations in the mid-50s ( Australia and Canada).
The survey responses also raise questions about whether companies are accurately measuring their level of preparedness. For example, 76% of board members say they feel their employees understand their role in protecting the organization from cyberattacks, and the same proportion say they discuss cybersecurity issues at least once a month. However, there is ample evidence that employees generally do not fully understand what they need to do to keep network security on their side, even when regular training is provided.
90% of organizations now have CISOs, and 73% say CISOs make at least regular presentations to the board. However, only about 50% say they have regular interactions with the CISO and about 33% say they only see the CISO when they report to the board. There also seems to be some lag in the perspective of the relationship working well: 69% of board members say they agree with their CISOs, but only 51% of CISOs agree. This is reflected in responses to the question of what are the most significant consequences of a cyber incident: Board members were most concerned about internal data becoming public and reputational damage to the company. , while CISOs were more concerned about downtime and disruption to regular operations.