A deluge of new studies points the finger at CEOs taking stabs in the dark – rather than informed decisions – when it comes to cybersecurity investments.
For at least two years, CISOs and CIOs at major global companies have expressed dissatisfaction with their tight IT security budgets, even going on record with their grumbles in countless surveys.
At best, their leaders are said to be investing in the wrong defenses, as shown in the most recent such survey conducted by WSJ Custom Studios.
Identity as the primary attack vector
The report highlights that CEOs at big firms mistakenly focus on malware, creating misalignment within the C-suite and leading to investment in the wrong areas. This results in undue risk and prevents organizations from effectively stopping breaches, analysts found.
Well over half of CEOs surveyed cite malware as the primary threat to cybersecurity, compared with only a third of Technical Officers. Only 8 percent of all executives said anti-malware endpoint security would have prevented the “significant breaches with serious consequences” that they experienced.
“62 percent of CEOs inaccurately cite malware as the primary threat to cybersecurity, while Technical Officers on the front lines of cybersecurity know that identity is the primary attack vector,” the report reads.
It gets worse. Only 55 percent of CEOs say their organization has experienced a breach, whereas 79 percent of CTOs acknowledge they’ve been breached. It’s no laughing matter to realize that 24 percent of CEOs are not aware they have been breached.
The report delves into the actual investments dictated by CEO bias, such as server-focused solutions (network AV), malware detection and website firewalls, yet Technical Officers at those same organizations say that misuse of privileged credentials is by far the most common cause of breaches.
In other words, leaders should be looking at preventing identity theft, which often occurs through simple social engineering schemes, by deploying additional identify validation checks. From access control lists, and multi-factor authentication to restricting sensitive company data to only a handful of people, preventing identity theft is not just a matter of technologies, but also of internal procedures.
CEOs need training too
In fact, these results seem to corroborate a recent FS-ISAC survey citing most CISOs interviewed as saying employee training should be a top priority for improving security posture – especially in the financial sector.
“Training employees should be prioritized for all CISOs, regardless of reporting structure because employees serve as the first line of defense,” researchers said. “Employee training should include awareness about downloading and executing unknown applications on company assets, and in accordance with corporate policies and relevant regulations, and training employees on how to report suspicious emails and attachments.”
The WSJ study also exposes a disconnect between CEOs and Technical Officers that leads to misaligned security strategies and tension among executives. Again, the same upsetting trend is spotted in the FS-ISAC research.
The most disconcerting finding from these and similar studies, however, is probably that CEOs are in the dark regarding the biggest threats facing their organizations. While malware is indeed a very present threat, it is the human factor that most often comes into play and (unknowingly) allows hackers access to sensitive data.
Not only would businesses be smart to invest in staff training, they’d be doing themselves a favor to make cybersecurity a board room topic – and maybe send the CEO on a (metaphorical) cybersecurity boot camp every once in a while.