Most CEOs clueless about cyberattacks – and their response to incidents proves it

Despite an onslaught of devastating high-profile cyberattacks, four in five CEOs aren't regularly informed about potential threats to their organizations and only 14 percent of top executives play an active role in the incident response process.


Organized cyberattacks continue to grow in both volume and complexity yet the vast majority of top executives at the companies and organizations targeted are still remarkably unaware of just how vulnerable their networks and data are to a multitude of different threats.

This lack of awareness, according to a new survey by security research firm Ponemon Institute, is directly correlated to how quickly – or not – companies respond to an attack and eventually sort out how it happened and who was responsible.

"Our research indicates that organizations are not communicating with business leaders about computer security threats," the report concluded. "Whether this is because they are afraid to admit the realities to the people that they work for, or because they don’t know how to articulate those realities in dollars and cents terms that are relevant to business decision makers, the consequences are the same."

For small and midsize businesses, the inability to effectively respond to or protect against cyberattacks is primarily the unfortunate consequence of limited IT budgets . For large enterprises and government agencies, it's often a combination of hubris, organizational dysfunction and indifference or ignorance among top executives that conspires to keep their organizations at risk time and time again.

Only 20 percent of the 674 IT and IT security professionals surveyed said they regularly communicate with upper management about potential security threats. Yet, 57 percent said they expect to experience a breach within the next year.

More troubling, especially for customers such as those affected by a wave of attacks against Target and other leading retailers , is the fact that it takes companies at least a month to investigate an attack, restore service and verify the resolution of the incident. Forty-seven percent of respondents admitted their companies either don't assess the readiness of their cybersecurity response teams or don't do so on a regular basis. Only 23 percent of organizations have a corporate communications plan in place in the event that a material breach needs to be disclosed to the public and 45 percent admitted that they don't share or receive threat intelligence with other organizations.

"Computer security needs to be a boardroom discussion, before the organization is in the headlines, and not after," Ponemon researchers added. "It's not only important that organizations track the incidents they are experiencing; it's also important to relate those incidents to the bottom line of the organization and convey that information to business leaders."

Show Comments