Fewer than a quarter of senior business leaders reckon that they are equipped to deal with a breach, despite nearly half of organisations experiencing a loss in the past two years.
The survey of 341 senior business leaders by the Economist Intelligence Unit (EIU), 41 per cent of who were c-level executives or board members, found that 57 per cent have not been trained on the correct actions to take after information has been lost. It also found that a 27 per cent had an extensive awareness of information risk across the organisation. Just under half (45 per cent) believed that their company had a single view of information risk across the enterprise.
One of the survey’s 17 authors is Stefan Fenz, a researcher at the Vienna University of Technology. He said: “Information risk management is not something you do once, it is a living process. You may do the big work only once, the inventory and the calculations, but then you have to rerun it yearly or half-yearly to see how the threat landscape has changed, as by then your assets may have a different importance to an attacker or yourself.”
Kamlesh Bajaj, CEO of the Data Security Council of India, believed that 80-85 per cent of information risk can be mitigated by “simple hygiene factors”, such as updating operating systems, applying patches to software and keeping anti-virus software up-to-date.
The EIU said that its statistics showed a link between training and the level of preparedness for an actual loss of information, as those respondents who receive regular training are almost twice as likely to feel well prepared (45 per cent) to deal with a breach as those who do not receive any training (23 per cent)
However, that 45 per cent figure dropped to 16 per cent at those companies that have suffered a loss of information, which suggests that current education and training exercises are falling short of preparing senior managers for the real thing.
Chris Sutherland, USA CISO of BMO Financial Group, said: “Besides educating senior executives, practitioners point to the need to improve day-to-day communications across the organisation. At board level, the discussion needs to be couched in terms of the business—where a lack of understanding can extend both ways. “The biggest area where we consistently fail is the language barrier. “It’s the geek-to-suit language.
“We spend all our time talking about exploits and bad guys and using industry buzz words, but we’re not really talking about quantifiable business impact, and that’s really what it’s about.”
