The world's business leaders have high levels of confidence in their organisations' cyber defences, but that confidence is largely out of tune with reality.
Most have inadequate structures and policies in place, and security awareness training sessions and use of key defensive tools are both declining.
Many leaders fail to understand both the risks they may face from cyber threats, and the impact past incidents may have had on their organisation's reputation. The threat from insiders is also way underestimated.
All this comes from a worldwide study conducted by consultancy firm PricewaterhouseCoopers (PwC), in collaboration with CSO Magazine, the US Secret Service, the FBI and Carnegie Mellon University's Software Engineering Institute CERT programme.
Over 9,300 high-ranking executives responded to the survey (PDF), including CEOs, CFOs, CISOs and IT directors from 128 countries. Two-thirds of respondents were based in the US or Europe. Data was gathered in spring 2012, so may be a little behind the latest developments, but it shows some clear trends year-on-year.
Some 42% of those questioned thought of their organisations as 'front-runners' in terms of information security. But when their responses elsewhere were aligned with a baseline set of requirements, including properly measuring and reviewing security measures, keeping track of incidents, and giving security leads sufficient rank within the company structure, only 8% came out as actual leaders.
While budgets are on the rise after recent cutbacks in most regions, economic conditions remain the biggest factor in deciding security spending, much higher than any actual security requirements.
There have been significant year-on-year drops in the deployment of all forms of security technology, including:
- Spyware and adware detection tools, down from 83% in 2011 to 71% in 2012;
- Device control, down from 57% to 47%;
- Vulnerability scanning, down from 59% to 46%;
- DLP, down from 48% to 39%; and
- IPS, down from 62% to 53%.
Despite a slight increase in the number of breach incidents, financial losses are reported to be down. But most seem to be ignoring important aspects of data breaches; while 52% consider direct loss of customer business after a breach, only 27% take into account the possible long-term damage to brand reputation.
A previous PwC survey on attitudes to data sharing (PII required to access the report, ironically) found that 61% of consumers would stop using a company hit by a data security breach.
With mobile device use booming, 88% reported they use personal kit for work purposes, but only 45% have BYOD security strategies in place, and 37% use mobile anti-malware.
In terms of who gets the blame for security issues, other high-level staff take less flak than previously, but are still considered a major issue, with CEOs thought a hindrance by 21% of respondents; lack of funds is not far ahead on 26%.
The only issue rising year-on-year in this area is shortage of in-house technical expertise, up slightly from 21% to 22%. This aligns with reports of a lack of skilled staff seen elsewhere.
Personnel-related security measures were down on every count over the previous year, including training, vetting and monitoring staff, and employing experts in specialist roles. This greatly increases the risk of insiders stealing or leaking data:
Twice as many respondents indicated “non-malicious insiders” cause more sensitive data loss than malicious inside actors
There's much more in the full report, including some interesting stuff on regional variations - Asia, apparently, is outpacing the rest of the world in running tight ships.
So what are the big takeaways from this hefty bundle of data? The figures certainly back up other recent reports showing top-level people are behind the curve on computer security issues.
Fines and regulation aren't doing the job; what's clearly needed here is better education. If even people in dedicated high-level security roles are seen to be part of the problem (perhaps not as surprising as you might think, thanks to the Peter Principle), there clearly needs to be more effort put into spreading the word.
In the UK, the government has recently announced a major awareness project, which looks set to focus on businesses as well as end-users. This could well be an important step in the right direction; for too long private security firms and a few specialist journalists and bloggers have shouldered the burden of opening people's eyes to the dangers lurking in the murky pond of the internet.
To get this message into the right places, which clearly include those big desks in the top-corner offices, is going to take a lot of time and effort, from every level. Hopefully we're making some progress, and we'll see some of these rather depressing trends reversing next time around.