Online security? Just let me Google that, say puzzled bosses
Some executives only "kind of" understand cyber security
A significant number of board level executives still have such a poor grasp on cyber security issues that it threatens to put whole organisations at risk from data breaches.
That's the stark warning following a survey by security company Palo Alto Networks which directly asked C-Level executives about their knowledge surrounding security issues and 13% said they only "kind of" understand what defines an online security risk to a businesses. Worryingly, many in leadership roles also said they still have to use Google to help explain cyber security risk.
It also appears leadership uncertainty about cyber security issues hasn't gone unnoticed, with one in ten respondents to the research suggesting that they believe the company's executives or board don't have "accurate understanding of current cyber security issues in order to effectively prevent cyber attacks from compromising their organisation's computing environment".
Despite the report warning that collaboration across the business is required in order to ensure cyber security is as strong as possible, almost half (46%) of those working in management believe that ultimate responsibility for cyber security falls to IT.
It also appears that the IT department feels a sense of duty when it comes to a company's security, with 57% of those workers questioning suggesting that they have sole responsibility for cyber security.
Ultimately, the survey suggests a lack of consensus on who holds responsibility for cyber security. According to Palo Alto Networks, this "passing the cyber security buck" is leaving businesses more exposed to a breach, along with the monetary and reputational damage which follow such an incident.
There's also confusion over what constitutes 'successful' cyber security policy, with different organisations constituting success in a multitude of ways.
For example, one in four companies measure the effectiveness of cyber security by how many incidents have been blocked. Meanwhile, one in five base success around how long it took to resolve an issue and just over one in ten judge it on time since the last incident.
Palo Alto Networks' survey comes after the European Union meeting an agreement on the General Data Protection Regulation (GDPR). The policy will require companies to comply with cyber security requirements or risk fines of up to 4% of global turnover in the event of a data breach. The regulation also spreads reponsibilty for any potential incident throughout the entire company.
"Ultimately, it is critical that managers recognise that, when it comes to cyber security, the onus is on everyone - it's no longer a dark art but an everyday business practice that must pervade every level of the organisation," said Greg Day, vice president and regional chief security officer for EMEA at Palo Alto Networks.
In order to have the best chance of preventing a damaging cyber attacks, Palto Alto Networks recommends organisations "Build a cyber security strategy focused on preventing cyber attacks at every step of the attack lifecycle, taking employee awareness and accountability into account".
The company also stresses that companies should "educate everyone in the business on the role they play in preventing successful cyber attacks on the organisation".
The survey was conducted online among 765 business decision-makers in companies with over one thousand employees in the U.K., Germany, France, the Netherlands and Belgium by Redshift Research.