Only 28 percent of business leaders have heard of the Equifax breach, just 31 percent are aware of the 2014 eBay data breach, and just 34 percent have heard of WannaCry ransomware, a recent Veracode survey of 1,403 business leaders in the U.S., the U.K. and Germany found.
Only five percent of respondents said the Equifax breach prompted them to rethink their approach to cyber security, and just one in 10 said the same of WannaCry.
Strikingly, 25 percent of all business leaders in the U.S. and U.K. said they don’t understand any of these common threats:
- phishing attacks
- DDoS attacks
- vulnerable software
- malicious employee activity
- vulnerable open source components
One third of all respondents said they don’t plan to take any new steps to improve their organization’s overall cyber security in the next 12 months.
Still, 33 percent said a cyber attack on another company had led them to rethink their own approach to cyber security.
Thirty-four percent have already started or will over the next year start scanning for vulnerabilities in software, 22 percent have set or will set security thresholds for software built by third-party providers, and 20 percent have set or will set security thresholds for all commercial out-of-the-box applications.
“Digital transformation presents both massive opportunity to innovate and significant security risks, with 77 percent of applications having at least one vulnerability when first scanned, which could be exploited to inject ransomware or steal data,” Veracode CTO Chris Wysopal said in a statement.
“Many business leaders have yet to fully grasp the most common cyber threats to their business, nor are they keeping up with some of the most catastrophic cyber events of our time,” Wysopal added. “We need to bridge this disconnect between business leaders and the cyber security threat: without greater awareness of the threats and what is needed to defend against them, their company could easily be the next headline.”
When asked how best to increase board awareness of cyber security issues, 38 percent of respondents suggested articulating the potential brand damage, 35 percent recommended explaining the risk to senior executives’ job security, and 29 percent suggested highlighting the potential fines due to data protection regulations like GDPR.
A separate CyberArk survey of more than 1,300 IT security decision makers, line of business owners, and DevOps and app developer professionals worldwide found that 50 percent of respondents admitted that their organization hadn’t fully informed customers when their personal data was compromised in a cyber attack.
Forty-six percent of security respondents acknowledged that their organization is unable to stop every attempt to breach their internal network, and 63 percent of business respondents worry that their organization is susceptible to attacks, like phishing, that target the executive team.
Still, 49 percent of business respondents — and 33 percent of security professionals — admit they don’t have sufficient knowledge about their own security policies, and 52 percent of business respondents don’t understand their specific role in response to a cyber attack.
Twenty-one percent of line of business respondents and 19 percent of security professionals store login credentials in paper notebooks or in filing cabinets, and 42 percent of line of business respondents and 36 percent of security professionals do so in a document stored on a company PC or laptop.
Seventy-eight percent of business leaders said security should be discussed at the board level more frequently.