For UK senior executives who admit their organizations have suffered at least one significant cybersecurity breach within the past two years, the associated costs of a breach are considered the most important consequence. This is according to a new study by Centrify.
Nearly two-thirds (63 percent) of respondents in the UK believe investigation, remediation and legal costs are the most important consequence of a breach, followed by disruption to operations (47 percent) and loss of intellectual property (32 percent). They showed less concern for impact on brand, including loss of customers (16 percent) and damage to the company’s reputation (11 percent).
The study of 800 senior level executives, including CEOs, Technical Officers and CFOs in the UK and US, also indicates that there is confusion among the C-suite about what constitutes a cyber security risk and what needs to be done to prevent it. In the UK, malware is seen as the biggest threat to an organization’s success among 44 percent of respondents, compared to just 24 percent who point to default/weak or stolen passwords and 29 percent who blame privileged user identity attacks. However, of those organizations that experienced at least one significant security breach in the past two years, just 11 percent admit it was due to malware, while almost twice as many put it down to either a privileged user identity attack or the result of stolen or weak passwords (both 21 percent).
In fact, 63 percent of UK organizations that experienced a major breach admit that privileged identity and access management would have most likely prevented the breach. According to the survey, the largest areas of cybersecurity investment over the next 12 months will be for malware (44 percent) and phishing (38 percent), while protection against stolen or weak passwords (33 percent) and privileged user identity attacks (26 percent) are investment priorities for fewer respondents.
Barry Scott, CTO EMEA at Centrify, explains: “It’s no surprise that the C-suite often points to malware as the biggest threat. Sensational headlines about major attacks could be to blame, which companies see and react to, often mistakenly, when in fact identity-related attacks – such as stolen or weak passwords, and attacks on privileged users within organisations – are the primary threat to cybersecurity today.
“What’s worrying is that they then look to invest money in protecting against malware, when in fact they should be focusing on the increase in identity-related attacks.”
The statistics cited in this report are from a survey of 800 senior executives conducted in November 2017 by Dow Jones Customer Intelligence (a unit of The Wall Street Journal/Dow Jones Advertising Department), with sponsorship from Centrify. More than three-quarters of these executives are CEOs, CFOs or technical officers (including CIOs, CTOs and CISOs) and the remainder are their direct reports. The companies represented have at least 1,500 employees and over half have more than 10,000 employees. They are positioned across 19 industries in the US and the UK, and about half report annual revenues exceeding US$5 billion.