Most UK C-level executives that have suffered a breach care about the associated costs more than losing customers, according to new research from Centrify.
The identity security vendor polled 800 CEOs, CFOs, CTOs, CIOs, and CISOs in US and UK organizations to compile its latest report, CEO Disconnect is Weakening Cybersecurity.
In the UK, 63% of respondents rated investigation, remediation and legal costs as the most important factor stemming from a breach, followed by disruption to operations (47%) and loss of intellectual property (32%).
On the one hand, the findings should mean that senior executives are ready to buy-in to GDPR initiatives, given the huge new fines that could result from non-compliance.
However, it also indicates an overly narrow focus on the potential repercussions of a successful cyber-attack, resulting in security investments that continue to be piecemeal and reactive. Just 16% said loss of customers was the most important factor to consider post-breach, whilst 11% cited damage to the company’s reputation.
Yet both of these less immediately quantifiable factors can have a major long-term impact on a breached organization.
It’s claimed, for example, that TalkTalk lost over 100,000 customers after the breach in 2015.
Centrify also identified a damaging disconnect between CEOs in the UK and US and their technical C-level colleagues — with the former seeming to be heavily influenced by sensational headline-grabbing malware threats such as WannaCry.
Nearly two-thirds (65%) of CEOs claimed malware was the biggest threat to the company, compared to just 35% of CIOs, CTOs and CISOs. In fact, the technical C-level were more likely to point to identity compromise (42%) as the primary threat to their organization.
The findings are borne out by the fact that 68% of executives from companies that already experienced a breach with serious consequences said it could have been prevented by either privileged user identity and access management or user identity assurance. Just 8% said the same about anti-malware endpoint controls.
"Building a secure defense against the very real risk that data breaches pose requires investment and just like any other major cost to an organization the CEO needs to be convinced of the merits in doing so,” Centrify CTO, Barry Scott, told Infosecurity.
“This is more about educating CEOs in a language they understand about the need to invest in a comprehensive protection plan that guards against the primary threat to cybersecurity today, that is identity-related attacks, rather than reacting to the sensational headlines that malware generates."