Knowledge and awareness of the threat landscape is the first step in stopping cyber attacks, and companies have made great strides in this area in the last few years. Unfortunately, many still seem to be struggling with the vital second step of actually getting defenses and procedures in place.
This is the general theme of Proofpoint’s “2022 Board Perspective” survey, which takes its input from board directors at large organizations. Well over half of these organizations appreciate the risk of cyber attacks and are anticipating them in the next 12 months, but just under half (47%) say they feel equipped to deal with them at present. This number can drop to as low as 12% in certain countries.
Companies see the threats coming, but many still not sure what to do about them
Ideally, 100% of large organizations would be anticipating a cyber attack in the next 12 months, if from nothing other than automated bots trying out known vulnerabilities on just about everything connected to the internet. 65% of respondents say that they need defenses in place in the next year for this eventuality and 75% say that they are aware of the full impact of a successful attack, but only a little over half are confident at their ability to rebuff attacks and control lower-level invasions.
In spite of this relatively large block of companies that feel their defenses are not adequate, 76% of the respondents feel their employees are adequately educated in their personal roles in preventing cyber attacks. About the same amount of organizations also say they discuss cyber security issues regularly at meetings. The disconnect here could be explained by a number of things; a lack of confidence in defensive software and systems, lack of appropriate IT staffing or mistaken measurement of employee competence in security hygiene, to name just some of the possibilities.
The survey also indicates that organizations have largely turned executive defense responsibility over to the CISO, but that boards are not necessarily keeping in touch with CISOs. 90% say that they have appointed a CISO, but only 50% say that the CISO and board have any kind of regular interactions. 33% say that their interaction with the CISO is limited to when presentations are made for the board. For their part, only 51% of CISOs said that they saw security issues in the same way the board did.
Cyber attack frequency understood, but boards still struggle to understand complexity
After soaring cyber crime rates in the wake of the Covid-19 pandemic, boards now seem to understand that cyber attacks are more rampant than ever and are a reality that all organizations need to deal with. They may still be underestimating how complex and dangerous these attacks can be, however.
Of the 65% of executives that are anticipating a cyber attack in the coming year, only 23% feel that an attack is “very likely.” 35% do not think a “material” attack that causes substantial damage is a possibility in the coming year.
The responses to the survey were gathered from a mix of industry types and countries throughout the world, with all responding companies having at least 5,000 employees.