Australian C-suite executives fail to take security seriously
When IBM surveyed 5,600 C-suite executives, it discovered that about 336 of them were ostriches – those with their heads in the sand, claiming there was no possibility of a computer security breach that could materially affect their organisation.
In fact, most survey respondents were more realistic about the threat – 94% thought they were likely to face a significant cyber security incident in the next two years.
However, IBM’s survey revealed a significant group that still has its head in the cyber sand, despite cyber crime being estimated to cost global businesses up to AUS 800bn a year, according to the Centre for Strategic International Studies.
A newly released IBM report, based on interviews with 700 international C-level executives, including a substantial number from Australia, found that even among senior executives who do understand the problem, there is confusion about which groups pose the biggest security threats and how to combat them effectively.
Seven out of 10 CXOs think rogue individuals are largely to blame. In fact, 80% of attacks are spawned by well-informed organised crime rings, according to the United Nations. Employees are also responsible for a significant proportion of breaches.
Glen Gooding, business unit executive for IBM Security in Australia, said that although senior executives were gaining more understanding of the issue, “and we are being asked to more board meetings”, not much was taking place in the way of concrete action, with the responsibility for computer security still often offloaded to a chief information security officer or equivalent, rather than being viewed as a whole-of-organisation responsibility.
Apart from top-end financial institutions and large government departments, Gooding said many senior executives did not take the issue seriously enough until they had been “kicked really hard”.
Even when companies were kicked hard, they were very reluctant to share information with external peers, even though this is acknowledged as the best way to tackle many cyber attacks, he said. Some 68% of C-suite executives said they would be reluctant to share their experiences externally.
Read more about cyber security in Australia
- Security experts criticise organisations for paying up too easily when hit by ransomware.
- Demand for people with the right mix of skills to keep organisations in Australia safe from cyber attack is far in excess of supply.
- A cyber attack on a supercomputer at Australia’s weather bureau has raised fears that potentially sensitive national security information may have been compromised.
Gooding stressed that it was valuable for all enterprises to know about the threat actors, the types of attack and where they were coming from – even if the source of the information was anonymised.
“C-suite executives don’t even like that,” he said. “So we need to further educate the C-levels – this is not about giving your competitors an advantage, but for the greater good.”
Getting a better understanding of the threat landscape is one thing; actually protecting yourself is another. Only 17% of survey respondents felt they were properly “cyber secured”, even though the range of technology available to help companies secure themselves continues to grow.
Australia’s Quintessence Labs, named last year as one of the world’s top emerging innovators by the global Security Innovation Network, a body that includes the US Department of Homeland Security and the UK’s Home Office, has just released a quantum effects-based security appliance.
The Trusted Security Foundation handles centralised management and security of encryption keys. The appliance leverages quantum effects to allow high-speed random number generation, providing highly secure cryptographic keys. Even if a company’s systems are hacked, the material should remain protected.
Vikram Sharma, CEO and founder of Quintessence Labs, said data breaches were growing “exponentially every day”, which was driving organisations to seek more sophisticated security technologies to protect themselves and their data.