32% of C-Suite members either do not have a response plan in place or are unsure whether they do or not.
Nearly a third of C-Level directors across the UK (32%) either do not have a response plan in place to manage the consequences of a successful cyber-attack on their business or they are not sure whether they do or not. That’s the headline finding of a new poll of 250 C-Suite members in organisations with over 50 staff carried out by Axial Systems in the first quarter of 2017.
Mike Simmonds, Managing Director Axial Systems commented: “Businesses are starting to wake up to all the messages we see out there in the marketplace around cyber-preparedness. However, our survey reveals that there is much more work to do. Every organisation should have some sort of a cyber response plan in place – and senior directors within a business should certainly be aware of whether or not such a plan has been prepared. That’s clearly not the case currently.”
In line with this, the survey found that even those directors who said they did have a response plan struggled to provide much detail around it. Many respondents gave basic answers, unlikely to constitute a sufficient response to a real attack such as ‘we have back-up help’ or we ‘keep firewalls and anti-virus up-to-date’. Some expressed a lack of knowledge of the process, while others argued that they ‘have a team to handle it’ or that they ‘call in an expert’.
The Axial survey indicates that part of the issue for the C-Suite may be a lack of dedicated support from within the organisation. More than half (52%) of C-Level respondents said that cyber-security is the role of the IT department. In total, just 35% said there was a separate security department in place but significantly less than half of those respondents said that that department was headed up by a dedicated chief security officer (CSO) or chief information security officer (CISO).
“This chimes with our own experience in engaging with businesses at Axial,” adds Simmonds. “IT departments will inevitably be a distracted by a host of other challenges which will make it difficult for them to focus sufficient time and expert resource on security issues. By not having a dedicated security team, organisations are potentially putting themselves at even greater risk.”
The survey also reveals that C-Level directors themselves sometimes fail to lead by example. Levels of ‘transgression’ with regards to personal use of business data appear to be much higher among senior directors than among office workers generally.
45% of the C-Level sample admitted to having stored company data on a home computer while just 14% of office workers surveyed in a parallel poll conducted by Axial (also employees of organisations with over 50 staff) confess to having done the same. Similarly, 18% of office workers said they had ‘sent work data to personal devices for easy access’ – fewer than half the proportion of senior directors (41%) that admit to this.
The survey raises concerns whether those at the top of business are really passing on the message around key security concerns and best practice approaches to more junior employees. 50% of office workers have not received any training at all on IT/cyber-security since joining their current business – and many lack a clear understanding of their business’s security policies around IoT and GDPR.
Given this backdrop, it is perhaps unsurprising there is so much speculation across the business world about how well prepared businesses are for GDPR. Just 17% of the C-Level sample in the survey think their organisation is fully prepared and there is good reason for that low figure.
Many employees are not well versed in the implications, dedicated security teams are in short supply, and perhaps most concerning of all, over one-quarter (26%) of C-Level directors said their businesses did not have a Data Protection Officer (DPO) in place – even though having one is, in many cases, a mandatory requirement of the pending regulation.