A cyber security “accountability gap” is appearing in corporations around the world as executives are becoming more vulnerable to cyber security attacks than other company employees, according to a recently released report titled Accountability Gap: Cybersecurity and Building a Culture of Responsibility. The report was produced by the Institute of Management Studies, Goldsmiths, University of London; Tanium; and Nasdaq.
The report’s authors surveyed 1,530 non-executive directors (NEDs), C-level executives, Chief Information Officers and Chief Information Security Officers from around the world and found that found that 90 percent of respondents have medium-to-high cyber security vulnerability. Researchers analyzed two variables they say best measure cyber vulnerability; awareness and readiness. Awareness was defined as knowing about the risk, while readiness was having the ability to address it.
Regarding awareness, 91 percent of high vulnerable board members say they can’t interpret a cyber security report, while only 10 percent of the high vulnerable respondents agree that they are regularly updated on relevant information relating to cyber security threats. Furthermore, low vulnerable respondents reported being 31 percent more likely than their high vulnerability counterparts to have assessed the risks and losses of potential cyber-attacks.
Executive responses were equally as striking when measuring readiness. Almost all (98 percent) of the high vulnerable executives express uncertainty regarding whether their organization is consistently tracking all devices and users on their system, while 87 percent of the same group does not believe their malware, antivirus software and patches are always up-to-date. Only 9 percent of board members appeared sure that their systems were regularly updated in response to cyber threats.
Forty percent of the NEDs, C-level, and CIO/CISO-level respondents admitted they don’t feel responsible for the repercussions of a cyber attack, a strikingly high number that is probably to be expected, given the little amount of information and training they say they have received. This perceived lack of responsibility highlights the growing accountability gap emphasized in the research.
Germany, Japan and the Nordic countries have the highest percentage of vulnerable respondents with NEDs being the most vulnerable across all regions. Only 8 percent of these highly vulnerable board members reported being updated with information about cyber security threats and only 50 percent reported receiving cyber security training. The study found the high vulnerable NEDs are 12.5 times less likely than the low vulnerable to understand cyber language. The study recommends greater training and information sharing with board members as an immediate step many organizations can take to address cyber security vulnerability.
To see the complete report, go to: Accountability Gap: Cybersecurity and Building a Culture of Responsibility