'Disappointing' executives ignorant of security's financial risk: researcher

Australian CSOs are more confident in their ability to stop the theft of corporate data than their overseas peers but are more likely to believe company executives have no idea about the financial impact of a data breach, new Ponemon Institute research suggests.

The firm's Exposing the Cybersecurity Cracks survey, conducted for security firm Websense, weighed security attitude amongst 4881 IT and IT-security practitioners in Australia and 14 other countries.

Results suggest that nearly 6 in 10 companies don't have adequate intelligence about security threats against their companies, but Australians were more confident than overseas peers in their ability to detect and stop attacks: only 58 per cent of Australian respondents, compared with 69 percent of those overseas, believe cybersecurity threats "sometimes fall through the cracks" of corporate security systems.

Some 55 per cent of respondents believe their organisation is not protected from advanced cyber attacks, and 57 per cent doubt they can stop the exfiltration of confidential information from the company's systems.

The later figure is somewhat below the 63 per cent figure reported globally, suggesting that Australian CIOs and CSOs are more confident than overseas counterparts in their ability to control the flow of data.

Yet new threats are continually keeping them on alert: "The landscape has changed quite dramatically in terms of how threats have changed," Websense country manager Gerry Tucker told CSO Australia.

"That has resulted in a rapidly changing requirement to adjust the security posture, and this means security professionals are having to change how they approach security – and, as a result, how they invest resources to deal with that."

Investment decisions are complicated by the fact that executives still seem to have a poor understanding of information security – with 53 per cent saying their board-level executives have a "sub-par" understanding of security issues.

More worrying still is the potential financial impact on a company should information-security protections be violated.

Some 82 per cent of Australian respondents said their corporate leaders did not equate losing confidential data with a potential loss of revenue – surprising to many given that Ponemon Institute research suggests the average cost of a data breach is $5.4 million.

That such attitudes have persisted despite years of industry attempts to educate users, leading Centre for Internet Safety security expert Alastair MacGibbon to lament the Ponemon findings.

"After this length of time, with the amount of information about the threat environment and the types of things that criminal groups will get up to, this is a depressing set of numbers," he told CSO Australia.

"You can't defend against the threat if you don't understand what the threat is – but this survey shows that a significant percent of the population don't think they actually understand the threat environment."

Such findings reinforce the need for CSOs and equivalents to work as advocates for security education within their companies, proactively educating business leaders about the very real threats today's organisations face.

"What you've got is a serious disconnect," MacGibbon continued. "The security guys know what they have to do, and very often it's getting the business to learn that equation in terms of risk and mitigation."

This shift requires a team effort and broad-brush collaboration, Tucker added, particularly given survey findings that 55 per cent of companies don't think they're protected from security threats and 57 per cent are saying they can't stop the exfiltration of data.

"One of the things they're doing well is moving from compliance to a threat-based security posture," he explained. "They're coming to look at it as more of a lifecycle, rather than discrete processes.

"They're working to combine the risk of teams within the business – who tend to be more numbers and business-focused – and having those teams working closely with the security teams. So, they are better able to put together a business case that demonstrates the risk – and what would be the consequences if something did happen."

Join the CSO newsletter!

Error: Please check your email address.

More about CSOWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts