The bottom line is the biggest motivator on data protection issues for senior executives, research has revealed. The study from Centrify, which surveyed 800 chief executive officers, chief technical officers and chief financial officers at firms in the UK and the US, looks at attitudes and reactions to cyber-threats among business leaders. Findings include that 63% of UK executives see the financial costs of investigation and remediation, along with legal costs, as the biggest impact of a data breach. This suggests that GDPR’s mammoth fines, a maximum of €20 million, or 4% of global turnover, are well targeted to focus corporate minds.
The survey also reveals a misunderstanding of the nature of cyber-threats among c-suite execs. Among UK bosses 44% said that they see malware as the biggest cyber-security threat, while just 24% identify issues with weak or stolen passwords and 29% point to the threat of privileged user identity attacks. Threat perception however does not match with those same firms’ experience. Of executives who’s firm had suffered a data loss over the previous two years, only 11% put it down to malware, while 21% blamed poor passwords and another 21% pointed the finger at a privileged user identity attack.
The mismatch in perception is easily explained, according to Centrify’s EMEA CTO, Barry Scott: “It’s no surprise that the C-suite often points to malware as the biggest threat,” he said. “Sensational headlines about major attacks could be to blame, which companies see and react to, often mistakenly, when in fact identity-related attacks – such as stolen or weak passwords, and attacks on privileged users within organisations – are the primary threat to cybersecurity today.”
The good news is that at least retrospectively breached firms can see their vulnerability. 63% of attacked firms admit in the survey that they could have stopped the breach with better identity and access management, while more than half accept that improved audit trails would have protected them. Their feelings are supported by the Verizon 2017 Data Breach Investigation Report, which found that 81% of successful attacks involve weak or stolen passwords.
In the survey’s results, CTOs were less likely than their CEO or CFO colleagues to misidentify the key threat, with only 35% citing malware, unfortunately it seems CEOs and CFOs control the purse strings. Asked to identify cyber-security investment priorities for the coming year, 44% said they will be combatting malware and 38% phishing, compared to fewer who will focus on password strength and privileged user identity attacks (33% and 22%). This disconnect is concerning to Barry Scott: “What’s worrying is that they then look to invest money in protecting against malware, when in fact they should be focusing on the increase in identity-related attacks. Business leaders need to rethink their strategy with a security approach that verifies every user and every device, and provides just enough access and privilege.”