- Security TWENTY
- Women in Security
Nearly a third of C-Level directors across the UK (32pc) either do not have a response plan in place to manage the consequences of a successful cyber-attack on their business or they are not sure whether they do or not. That’s among findings of a new poll of 250 C-Suite members in organisations with over 50 staff carried out by IT services firm Axial Systems in the first quarter of 2017.
Mike Simmonds, Managing Director Axial Systems said: “Businesses are starting to wake up to all the messages we see out there in the marketplace around cyber-preparedness. However, our survey reveals that there is much more work to do. Every organisation should have some sort of a cyber response plan in place – and senior directors within a business should certainly be aware of whether or not such a plan has been prepared. That’s clearly not the case currently.”
In line with this, the survey found that even those directors who said they did have a response plan struggled to provide much detail around it. Many respondents gave basic answers, unlikely to constitute enough of a response to a real attack such as ‘we have back-up help’ or we ‘keep firewalls and anti-virus up-to-date’. Some expressed a lack of knowledge of the process, while others argued that they ‘have a team to handle it’ or that they ‘call in an expert’.
The Axial survey indicates that part of the issue for the C-Suite may be a lack of dedicated support from within the organisation. More than half (52pc) of C-Level respondents said that cyber-security is the role of the IT department. In total, just 35pc said there was a separate security department in place but significantly less than half of those respondents said that that department was headed up by a dedicated chief security officer (CSO) or chief information security officer (CISO).
Simmonds says: “This chimes with our own experience in engaging with businesses at Axial. IT departments will inevitably be a distracted by a host of other challenges which will make it difficult for them to focus sufficient time and expert resource on security issues. By not having a dedicated security team, organisations are potentially putting themselves at even greater risk.”
The survey also suggests that C-Level directors themselves sometimes fail to lead by example; as ‘transgressions’ in personal use of business data appear to be much higher among senior directors than among office workers generally. Some 45pc of the C-Level sample admitted to having stored company data on a home computer while just 14pc of office workers surveyed in a parallel poll conducted by Axial (also employees of organisations with over 50 staff) confess to having done the same. Similarly, 18pc of office workers said they had ‘sent work data to personal devices for easy access’ – fewer than half the proportion of senior directors (41pc) that admit to this.
The survey raises concerns whether those at the top of business are really passing on the message around key security concerns and best practice approaches to more junior employees. Half of office workers have not received any training at all on IT or cyber-security since joining their business – and many lack a clear understanding of their business’s security policies around IoT and GDPR, it’s claimed.
As for how well prepared businesses are for GDPR, just 17pc of the C-Level sample in the survey think their organisation is fully prepared and there is good reason for that low figure. Many employees are not well versed in the implications, dedicated security teams are in short supply, and perhaps most concerning of all, over one-quarter (26pc) of C-Level directors said their businesses did not have a Data Protection Officer (DPO) in place – even though having one is, in many cases, a mandatory requirement of the pending regulation.
Mike Simmonds says: “What we have found is companies need to have all-encompassing security policies in place. They can’t just say: “I’ve got a firewall,” or “I’ve got it all backed-up, so if everything goes wrong, I’ll just restore it.” That’s not sufficient in itself – the approach needs to be all-inclusive.”