Key decision-makers do not have confidence in their boards’ ability to manage cyber security threats, according to an analysis by a global risk consultancy firm.
The global study titled: Control Risks’ State of the Cyber Security Landscape Survey 2017 shows that almost half of respondents believe their organisation’s board-level executives do not take cyber security as seriously as they should.
The survey was carried out among information technology (IT) and business decision-makers early this year and released recently.
Some 77 of the respondents cited the senior executives, rather than the historic owner (the IT department), as being most accountable for cyber security management and decision-making in their organisations.
The survey also found that just over 31 per cent of the respondents reported they were ‘very or extremely’ concerned that their organisation will suffer a cyber attack in the next one year.
About a third, (34 per cent ) say their organisations do not have a cyber crisis management plan in place in the event of a breach. “The misalignment between treating cyber security as a technological issue or a business risk is not new. Yet the survey shows that this misalignment remains a considerable and on-going concern for many organisations,” said the associate director at Control Risks, Patrick Matu.
Cyber-related incidents cost organisations in Nigeria about $500 million (Sh50 billion) annually. In Uganda, the cost is estimated at $50 million (Sh5 billion) and $250 million (Sh25 billion) in Kenya.
This lack of preparedness is risky, especially in light of the May WannaCry ransom attack, which affected more than 150 countries.
The survey also found that companies are struggling to adopt a risk-based approach.
Although companies are now less concerned with merely complying with standards and more focused on actually reducing the risk of a cyber attack, almost half - (45 per cent) agreed that assessing and managing these risks is their biggest challenge.
Third-party breaches are also a growing concern, with just over a third (35 per cent) of respondents saying a third party cyber breach had affected their organisation.
Despite nine in 10 respondents (93 per cent) taking steps to evaluate their third party cyber security measures, 53 per cent said this was confined to contractual measures.
Cyber attacks have major long-term effects. Four in 10 respondents said a cyber attack has resulted in the misuse of sensitive or confidential information (43 per cent) and loss of customer information (41 per cent).
“Our advice is to always start with the threat. The way in which cyber threats are assessed and communicated throughout the business is key. This assessment should include the specific cyber threats to the organisation, how they could impact the business, and what controls might mitigate them,” he said. “After assessing the risks and understanding them, the organisation can then deal with them within its overall risk management strategy,” says the Control Risks report.
Organisations should ensure cyber security becomes a regular item on the board’s agenda. This includes reviewing the external cyber threat landscape in conjunction with IT departments.
Organisations also benefit from regular crisis management exercises that involve all relevant parties including the C-suite, IT, legal, communications, and any other members of the crisis management team.
These exercises ensure that all parties understand their roles and responsibilities and the potential implications of a cyber attack.
The analysis of the responses looked at what organisations across the globe are doing to defend against cyber threats and to determine challenges and best practices to mitigate cyber security risks - the likelihood of threats affecting a particular organisation.