They are talking the talk but not walking the walk. Top financial executives may be expressing heightened concerns about their companies IT security, but over the last three years smaller percentage of firms have reported policies to prevent data leaks, particularly among companies that have less engagement by their boards.
Indeed, board engagement was found to be critical according to consultant Protiviti’s “2015 Security and Privacy Survey,” which in addition to the data-leak finding also determined that many companies do not yet understand their “crown jewels” requiring extra protection. The survey also suggests there isn’t a high level of confidence in the ability to prevent an internal or external cyber-attack.
The Protiviti findings, stemming from 700 responses from IT and risk professionals to an online survey, echoed remarks made by cyber security experts and several treasurers of major corporations participating in the NeuGroup’s Treasurers’ Group of Thirty (T30) recent meeting September. The group largely agreed that system breaches are inevitable, making policies to deal with the aftermath essential, and that the security of a company’s network has become a major concern of C-Suite executives and boards of directors.
The survey found that 77 percent of organizations with a high level of engagement by their boards have an information security policy, while that’s true of only 44 percent with medium or low levels of board engagement. Unfortunately, the survey found, the percentage of companies whose boards have high levels of engagement and understanding actually dipped slightly, to 28 percent this year from 30 percent last year. Protiviti notes in its report that it nevertheless continues to “encounter in the market a growing level of engagement and inquiry among board members in numerous facets of [Cyber security].”
The benefits of board engagement appear to spill into several areas. For one, the higher level of board engagement in information security, the more likely respondents said their companies could monitor, detect and escalate potential security incidents by a well-funded attacker, or prevent a targeted external attack or an opportunistic breach by a company insider.
Protiviti notes that confidence levels simply may not rise over time, and that may actually be a good thing.
“With regard to information security, companies cannot become complacent with their current practices and procedures, particularly as cyber-attacks become increasingly sophisticated and multi-vectored,” Protiviti says.