Four in 10 executives surveyed by The Economist Intelligence Unit say the board of directors should oversee cybersecurity policies, while 24% back creation of a specialized cyber committee.
The survey found little consensus among boards and executives on cyber resiliency planning, including deployment of strategies across the organization, where to allocate funds, and which areas of the organization are most at risk. The split in cyber preparedness was also apparent across geographies, as North American companies contrast strongly with their peers in Asia and, to some extent, the EU, on issues such as expectations for frequency and impact of cyber-attacks, and confidence in their ability to recover from a breach.
According to the findings, the average corporate cyber resilience spend was about 1.7 percent of revenue, and 96 percent of board members believe that isn’t enough. North America spent the most on cyber-resilience as a percent of revenue (2-3%), whereas the other regions spent 1-2% or less. The survey shows little consensus on how to allocate cyber budgets – but very close responses were given between “technology to harden cyber-defenses” and “IT talent acquisition, skills training/development”. Moreover, three out of the four regions believe the “board as a whole” should oversee cyber risk, while Europe disagreed, saying it should be a dedicated cyber group.
The EIU surveyed over 450 companies across the globe about their strategies and the challenges they face in building cyber resilient organizations.
A previous survey, by accounting and advisory firm BDO USA, showed 79% of the 140 public company directors surveyed in August 2017 reported that their board was more involved with cyber security than it was 12 months earlier. A similar percentage (78%) said they had increased company investments during the previous year to defend against cyberattacks, with an average budget expansion of 19 percent. It was the fourth consecutive year that board members reported increases in time and money invested in cyber security.