Cyber breaches common but risk knowledge is lacking
Most board members and top executive have a lack of confidence in their company’s cyber-security readiness, according to EY’s 19th Global Information Security Survey 2016-17.
The survey found:
- 87% of board members and C-level executives have said they lack confidence in their organization’s level of cybersecurity
- 57% of responders have had a recent significant cybersecurity incident, which shows that there is still more work to do to strengthen the corporate shield
- Due to the low quality of reporting on information security, 52% of respondents think their boards are not fully knowledgeable about the risks the organization is taking and the measures that are in place
The report found some positive signs of improvement. Organizations have become more confident in their ability to predict and detect a sophisticated cyber attack; this year, 50% of organizations said they have become more confident in their ability to predict and detect cyber attacks, the highest level of confidence since 2013.
But there is still a lot of work to be done given that:
- 44% do not have a continuous monitoring mechanism such as a Security Operating Center
- 64% do not have, or only have an informal, threat intelligence program
- 55% do not have, or only have an informal, vulnerability identification capability
PwC offered a list of questions boards should be asking:
- How is cybersecurity incorporated into risk management oversight? Is there clear understanding of the company’s risk appetite in terms of business disruption, loss of information or system downtime?
- What is on the board’s dashboard for cybersecurity? How often does management report to the board on this topic and how often is a third party consultant used to provide fresh perspective?
- Does the board have a robust response, communications and recovery strategy?