Tripwire have announced the results of a study on the cyber literacy challenges faced by organisations.
The study evaluated the attitudes of executives as they relate to cybersecurity risk decision-making and communication between IT security professionals, executive teams and boards. Study respondents included 101 C-level executives and directors as well as 176 IT professionals from both private and public U.K. organisations.
Despite the increasing number of successful cyberattacks against U.K. organisations, the study revealed that 54% of C-level executives at organisations within the Financial Times Stock Exchange (FTSE) 100 index believe their board is both cybersecurity literate and actively engaged in routine security. IT professionals from the same organisations are less confident in their boards cybersecurity knowledge, with 26% stating their boards only steps in when there is a serious incident.
While the results of the study point to executive confidence, they reveal the uncertainty of IT professionals. When asked if their board was “cyber literate,”29% of IT professionals either answered “no” or “not sure.” However, when C-level executives were asked the same question, 84% answered “yes.”.
There’s a big difference between cybersecurity awareness and cybersecurity literacy,” said Dwayne Melancon, chief technology officer for Tripwire. “If the vast majority of executives and boards were really literate about cybersecurity risks, then spear phishing wouldn’t work. I think these results are indicative of the growing awareness that the risks connected with cybersecurity are business critical, but it would appear the executives either don’t understand how much they have to learn about cybersecurity, or they don’t want to admit that they that they don’t fully understand the business impact of these risks
Other key findings include:
- 28% of IT professionals “don’t have visibility” into what the board is told about cybersecurity
- 47% were “not concerned” about their boards knowledge of cybersecurity.
- In the event of a cyberattack, respondents would be most concerned about 62% customer data, 50% damage to brand and reputation and 40% financial damage or stock price.
- 35% of respondents agreed that a security breach at their own organization had the biggest impact on their boards’ cybersecurity awareness, while other respondents felt that Heartbleed (19%) had a bigger impact than the Target or Sony breach and the Snowden leaks (17% and 8%, respectively).
Most organisations are not struggling with communication tools said Melancon. They are instead struggling with finding the right vocabulary and information to accurately portray cybersecurity risk to their boards, and they are trying to find the right balance of responsibility and oversight for this critical business risk