Most CEOs clueless about cyberattacks – and their response to incidents proves it

Summary:Despite an onslaught of devastating high-profile cyberattacks, four in five CEOs aren't regularly informed about potential threats to their organizations and only 14 percent of top executives play an active role in the incident response process.

CEOs-in-dark-cyberattacks-Ponemon-Institute-cybersecurity-IT-budgets

Organized cyberattacks continue to grow in both volume and complexity yet the vast majority of top executives at the companies and organizations targeted are still remarkably unaware of just how vulnerable their networks and data are to a multitude of different threats.

This lack of awareness, according to a new survey by security research firm Ponemon Institute, is directly correlated to how quickly – or not – companies respond to an attack and eventually sort out how it happened and who was responsible.

"Our research indicates that organizations are not communicating with business leaders about computer security threats," the report concluded. "Whether this is because they are afraid to admit the realities to the people that they work for, or because they don’t know how to articulate those realities in dollars and cents terms that are relevant to business decision makers, the consequences are the same."

For small and midsize businesses, the inability to effectively respond to or protect against cyberattacks is primarily the unfortunate consequence of limited IT budgets . For large enterprises and government agencies, it's often a combination of hubris, organizational dysfunction and indifference or ignorance among top executives that conspires to keep their organizations at risk time and time again.

Only 20 percent of the 674 IT and IT security professionals surveyed said they regularly communicate with upper management about potential security threats. Yet, 57 percent said they expect to experience a breach within the next year.

More troubling, especially for customers such as those affected by a wave of attacks against Target and other leading retailers , is the fact that it takes companies at least a month to investigate an attack, restore service and verify the resolution of the incident. Forty-seven percent of respondents admitted their companies either don't assess the readiness of their cybersecurity response teams or don't do so on a regular basis. Only 23 percent of organizations have a corporate communications plan in place in the event that a material breach needs to be disclosed to the public and 45 percent admitted that they don't share or receive threat intelligence with other organizations.

"Computer security needs to be a boardroom discussion, before the organization is in the headlines, and not after," Ponemon researchers added. "It's not only important that organizations track the incidents they are experiencing; it's also important to relate those incidents to the bottom line of the organization and convey that information to business leaders."

Topics: Security, IT Priorities, SMBs

About

Larry Barrett is a freelance journalist and blogger who has covered the information technology and business sectors for more than 15 years. Most recently, he served as the online news editor for 1105 Media's Office Technology Group and as the online managing editor for SourceMedia's Investment Advisory Group publications Financial Pl... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.