Despite daily reports of financial losses and reputational damage as a result of cyber breaches, a high proportion of boards are still in the dark as to the current state of their companies’ cyber defences.
This is a key finding of ‘Boardroom Cyber Watch 2014’, the second annual international survey of senior executive opinion conducted by IT Governance.
32.5% of respondents said their boards receive no regular reports on how their organisation is developing and implementing its cyber defence strategy.
Nevertheless, there are signs of progress, according to the international sample of 240 board directors, IT directors and other technology professionals polled by IT Governance in April and May 2014.
While 38% of the respondents who did receive a board report on cyber defences said this information is provided only annually or less than annually, the other 62% received this at least monthly – up from 48% in last year’s study.
The survey also suggested that the quality of cyber-security reporting to the board is an area requiring improvement, with 21% of respondents believing their company’s board reports fail to provide the information necessary to take decisions, while another 28% were unsure if adequate information is provided.
An additional area of concern is the quality of communication between the IT function and the board. According to the survey, almost a third of respondents (29%) believed that fear of retribution could be discouraging the IT department from fully disclosing details of cyber breaches to top management.
“The lack of boardroom insight into cyber threats revealed by our survey may partly explain the reluctance of some companies to give up outdated security goals,” said Alan Calder, founder and executive chairman of IT Governance.
“This situation is underlined by the fact that 38% of respondents still say their objective is to prevent all cyber-attacks, an aspiration which will strike many information security professionals as unrealistic or even naive.”
Highlighting this sea change, the report revealed that 51% of respondents now accept that cyber security is no longer appropriate to ensure business sustainability, and the inevitability that some attacks will be successful.
Other findings in the survey included the importance of information security to customers. Some 55% of respondents said customers have enquired about their infosec credentials in the past 12 months. This situation contrasts with 50% in the 2013 study, indicating rising demand for documented compliance with best practice standards such as ISO 27001.
Finally, the role played by governments in pushing businesses to demonstrate assurance was highlighted by the report.
Asked if they believed that their country’s government was taking cyber security seriously enough and providing sufficient support for companies to tackle this growing threat, about the same percentage of respondents – 42% – answered yes as no.
“Breaking the figures down further, a marked difference of opinion between the UK and the US has come to light, with British respondents revealing more trust in their government’s tackling cyber threats than that of their US counterparts,” said Calder.
“While only about 28% of Americans expressed confidence in their government, approximately 51% of Britons did so. This endorsement perhaps reflects the recent official launch of the UK government’s 2014 Cyber Essentials Scheme, which aims to help businesses address cyber security and demonstrate assurance.”