More than two-fifths of CISOs, CSOs and CIOs see their C-Suite colleagues as the most information security averse group, a survey has revealed.
This paints a concerning picture at the top of UK businesses given the current global security landscape, the survey report said.
Added to this, 75% of respondents said managers were the most likely to flout data security rules, according to a survey of 250 information security executives at UK-based companies that was commissioned by security firm Bitdefender. By contrast, just 25% thought day-to-day knowledge workers were likely the most infosec averse.
From a departmental perspective, those more likely to handle sensitive information were deemed at greater risk of a data breach. Two in every 10 respondents (23%) cited finance as the most vulnerable department, followed by sales (17%).
The survey also shows that 42% of respondents said they are most concerned about a loss of customer/stakeholder trust, while 26% worry about the company being fined by a supervisory authority, like the UK’s Information Commissioner’s Office (ICO).
The survey report notes that facing an increasingly complex threat landscape, information security executives have had to take stock, and identify where the risks in their respective organisations lie.
“Our research found that nearly two thirds of CISOs are losing sleep at night about information security threats, but their direct C-Suite colleagues are the biggest culprits when it comes to bending the rules,” said Liviu Arsene, global cyber security analyst at Bitdefender. “Infosec execs need to be far tougher at conveying the real life repercussions of poor information security practices, from the board level downwards,” he said.
To overcome the challenges, and pace of cyber security changes, the survey shows that infosec executives are taking a serious look at which small changes, centred on speed, because the swift identification and mitigation of cyber threats could end up being invaluable to an organisation, and affect a positive long term change.
Areas of the security stack where speed was deemed either critically, or very, important by infosec executives are centred around endpoint security, detection and response (75%), closely followed by anti-exploit/memory protection (74%). The report notes that security tools such as these can serve as a vital layer of defence while security teams rush to patch software in the event of a global exploit being discovered.
Just over half of infosec executives seem confident their organisation could patch corporate devices against a discovered vulnerability within 24 hours (51%), however, that still leaves 49% who would take 25 hours and upward, which is why adequate endpoint security is so vital, the report said.
One specific, and recurring, example of a small change security executives have made has been to increase user awareness to the variety of different attack vectors which are currently being exploited by cyber criminals.
Examples cited by respondents range from training programmes teaching employees what to look out for to a “shock tactics” approach, where IT conducts mock-phishing and social engineering attacks on employees to reinforce the consequences of information security negligence.
“Information security is an ever-evolving and changing process, with advancements in technology not only increasing the threat landscape, but also the protective tools available,” said Arsene.
“A balanced approach to data security, encompassing not only best-in-class infosec solutions, but also surrounding yourself with the right security response team is key for effectively mitigating threats,” he said.