Persistently low C-suite engagement may expose organisations to increased cyber risk, according to a new survey.
The study, by cyber security specialist Trend Micro, found that over 90% of the IT and business decision makers surveyed expressed particular concern about ransomware attacks.
Despite widespread concern over spiralling threats, the study also found that only around half (57%) of responding IT teams discuss cyber risks with the C-suite at least weekly.
“Vulnerabilities used to go months or even years before being exploited after their discovery,” said Eva Chen, CEO of Trend Micro.
“Now it can be hours, or even sooner. More executives than ever understand that they have a responsibility to be informed, but they often feel overwhelmed by how rapidly the cybersecurity landscape evolves. IT leaders need to communicate with their board in such a way that they can understand where the organisation’s risk is and how they can best manage it.”
There were some positive take-aways. Just under half (42%) of respondents claimed their organisation is spending most on cyber-attacks to mitigate business risk. This was the most popular answer, above more typical projects such as digital transformation (36%) and workforce transformation (27%).
Around half (49%) of those surveyed said they have recently increased investments to mitigate the risks of ransomware attacks and security breaches.
However, low C-suite engagement combined with increased investment suggests a tendency to throw money at the problem rather than develop an understanding of the cybersecurity challenges and invest appropriately, according to Trend Micro.
This approach may undermine more effective strategies and risk greater financial loss, it suggested, as less than half (46%) of respondents claimed concepts like cyber risk and cyber risk management were known extensively in their organisation.
Most (77%) of those surveyed want to hold more people in the organisation responsible for managing and mitigating these risks, which would help to drive an enterprise-wide culture of “security by design.” The largest group of respondents (38%) favoured holding CEOs responsible. Other non-IT roles cited by respondents included CFOs (28%) and CMOs (22%).