New study reveals serious disconnect in executive planning for cyberattacks
A new study reveals a major disconnect in the way senior management teams collaborate and determine the risks and impact on their operations when hit by a cyberattack.
The research carried out by Sapio Research for Deep Instinct shows only 12 percent of chief financial officers are actively involved in the process, even though 56 percent say their organization has paid a ransom to recover data.
It's not a surprise then that just 14 percent of CFOs state that their business is well-prepared and could withstand a cyberattack, while 69 percent think that the board doesn't take cyber and associated risks seriously enough.
The survey of more than 200 CEOs, senior financial, and IT security decision-makers working at mid to large enterprises in the UK, finds there's also a large gap between CFO's estimates of ransomware demands and the reality of ransomware payments. Despite respondents saying they would only pay, on average, a ransom of around £760,000, ($960,000) the reality is that those survey respondents that did pay ransoms paid more than £3 million, ($3.8 million) some four times higher than predicted. Moreover, for those that paid ransom demands, only 32 percent were able to recover their data -- showing that positive outcomes are far from certain even when cooperating with bad actors.
Justin Brown, VP market insights at Deep Instinct, believes that businesses should include cyberattacks as part of their disaster planning and have regular rehearsals around how to deal with them. "If you are being hit by an attack and you're finding your systems are encrypted or data was exfiltrated you shouldn't go into panic. What should happen is a little bit of military-style training, you go into action because you know exactly what you're going to do in that situation and you just simply follow up the process. I think what we need to do is get to a point where everyone is calm because they've made happen."
The study also finds that only 38 percent of respondents say they are confident in placing a monetary value on the data within their organization, as well as calculating the potential impact of its loss. Worse still, 48 percent gave answers that reveal a lack of accurate assessments, or no assessments at all.
"I think we've made major advances in the way that customer and prospect data is managed, but it does beg the question if the value of that's being truly quantified. It feels as if there's no hard or agreed model by which to quantify that value," Brown adds. "Because if you look at finance generally we have so many regulations and practices, you have accountancy exams, and you have agreed standards or criteria, yet they don't exist for this. There's no best practice or a framework or something similar, so it's perhaps no surprise that people are fishing around a bit in the dark and doing their best."
You can read more about the findings and get the full report on the Deep Instinct blog.