73% of CISOs Stockpile Cryptocurrency to Pay Cybercriminals if Attacked

Despite spending billions on preventing data loss, the C-suite is demonstrating a stark disconnect between business policy and personal behavior. Many admit to stealing intellectual property (IP) from a former employer, while others are taking hacker attacks as such a certainty that they are literally stockpiling crypto-cash to pay off hackers in the event of a breach.

The survey conducted by Sapio Research reveals multiple disconnects between current data security strategies and the reality of the threat landscape. According to those who commissioned the survey:

• 78 percent of CEOs agree that ideas, in the form of IP, are still the most precious asset in the enterprise, yet 72 percent of CEOs admit they’ve taken valuable intellectual property from a former employer
• 80 percent of CISOs agree that “you cannot protect what you cannot see,” yet 82 percent of business leaders believe that IT can somehow protect data they cannot see
• 64 percent believe their company will suffer a breach in the next 12 months that will go public

This last finding, surveyors say, “has led nearly 73 percent of CISOs to stockpile cryptocurrency to pay cybercriminals.”

Rob Westervelt, research director for the security products group at IDC, is quoted in the report as saying that, “The time has come for the enterprise to make itself resilient. IT, security and business leaders need to arm themselves with facts about how the emotional forces that drive employee work styles impact data security policy.”

“To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats,” Westervelt added.

C-suiters have no problem defying company policies and data security best practices. For example, 59% of CEOs admit to downloading software without knowing whether it is approved by corporate security. And, among business leaders in general, 77% believe their IT department would view this behavior as a security risk, but disregard the warning.

As many as 93% of CEOs admit to keeping a copy of their work on a personal device, outside of officially sanctioned company storage. And over 68% of them think keeping data outside of company storage poses a risk, but do so anyway.

But perhaps the most sobering finding remains the C-suite’s belief that preparing for breaches by stockpiling cryptocurrency is a good business practice. Surveyors regard this practice as “an unnecessary use of resources to react to cyberthreats.”

“If a data loss event strikes, a comprehensive data security strategy that includes visibility provides companies with the ability to understand what happened and when. As a result, they are positioned to recover much faster,” the researchers concluded.

In a survey of more than 250 cybersecurity professionals at the 2018 RSA conference in San Francisco in April, researchers at Thycotic found that 84% of respondents wanted to be notified immediately if a company they worked with had experienced a breach. At the same time, only 37% of the same cybersecurity professionals would notify customers right away if their organization was breached, researchers found.