Majority CEOs unwilling to share cybersecurity information with outsiders

Some 68 percent of CEOs say they are unwilling to share their organisation's information on cybersecurity incidents with outsiders, highlighting the ongoing challenge of establishing better cooperation among enterprises.

This reticence also conflicted with the fact that 55 percent of CEOs acknowledged industry collaboration was necessary to fight cybercrime, according to an IBM study, which polled more than 700 CXOs in 28 countries. Some 24 percent of respondents were from the Asia-Pacific region, including Singapore, Australia, China, and India.

"This exposes a resistance to widespread and coordinated industry collaboration, while hacking groups continue to perfect their ability to share information in near real-time on the Dark Web," noted IBM.

The CEOs stressed the need for external parties to do more as well as stronger government oversight, increased industry collaboration, and cross-border information sharing. Asked about an external party's role in addressing cybercrime, 61 percent of CEOs said governments should play a stronger role, while 53 percent said cross-border information sharing was essential.

"[It's] a dichotomy that needs to be resolved," it said, pointing to further findings that indicated confusion among CXOs about who the real cybersecurity adversary was and how to fight them effectively.

For instance, the study revealed that 70 percent of the c-level respondents believed rogue individuals posed the biggest threat to their enterprise. The reality, though, was that 80 percent of cyberattacks originated from highly organised crime networks in which data, tools, and expertise were widely shared, IBM said, citing findings from a United Nations report.

Some 54 percent of the CXO respondents did highlight crime rings as a concern, but 50 percent also pointed to competitors as equally worrying.

IBM Security's vice president Caleb Barlow said: "The world of cybercrime is evolving rapidly, but many c-suite executives have not updated their understanding of the threats.

"While CISOs and the board can help provide the appropriate guidance and tools, CXOs in marketing, human resources, and finance--[encompassing] some of the most sensitive and data-heavy departments--should be more proactively involved in security decisions with the CISO," Barlow urged.

Because these business units managed sensitive customer and employee data as well as corporate financials and had access to banking details, they were among the primary targets for cybercriminals, IBM said.

The study further revealed that 60 percent of CFOs, chief HR officers, and CMOs admitted they were not actively engaged in their company's cybersecurity strategy and execution. Only 57 percent of HR heads, for instance, had deployed employee training in cybersecurity.

The level of assurance also appeared to vary between the types of c-level executives within the organisation. The survey found that 65 percent of CXOs were confident their company's cybersecurity plans were well established. But while 77 percent and 76 percent of chief risk officers and CIOs, respectively thought so, only 51 percent of CEOs felt likewise.

"Considering that successful cybercriminals are known to collaborate among themselves, it stands to reason collaboration on security management and incidents among organisations would contribute to risk reduction," IBM said. "Among cybercriminals, that collaboration takes the form of one actor discovering a weakness and making the knowledge available for sale for others to exploit. CEOs of cybersecured organisations are much more likely to share incident data with external parties. They are three times more likely than others to collaborate with industry competitors, and twice as likely to collaborate with third-party security services firms and vendors and partners."

Big Blue added that CXOs should recognise the value of external collaboration as a way to combat cybercrime. As organisations shared more knowledge about cybercriminals and their activities, including incident reports, the better prepared they would be to implement the necessary mitigation plans.