CEOs slow to come around with cybersecurity practices

While they may recognize a need to take action on cybersecurity, many CEOs just are not.

CEOs are overseeing companies that, by and large, still have a lot to do to tighten their cybersecurity practices and do not appear to be acting with particular urgency.

While they may recognize a need to act, many just are not.

Those are the findings of a survey by CyberArk, a cybersecurity company, which polled 1,300 IT security professionals about companies’ practices.

“There is work to be done to show a recognition that challenges remain and need to be addressed,” Adam Bosnian, executive vice president of global business development at CyberArk, told FierceCEO.

Companies “are getting a little bit more candid about security, but they still need to act,” Bosnian said.

The survey found that half of businesses did not fully inform customers when their personal data was compromised in a cyberattack. This is troubling because with enforcement of the General Data Protection Regulation anticipated for May 2018, organizations that do not take action to improve transparency associated with breaches will face substantial consequences, Bosnian said.

Additional key findings include security concerns not translating into accountability:

  • 33% claimed not to have adequate knowledge of—presumably their own—security policies.
  • 46% of security respondents say their organization can’t stop every attempt to break into their internal network.
  • 63% of business respondents are concerned that their organization is susceptible to attacks, like phishing, targeting the executive team.
  • Despite this high level of concern, 49% of business respondents report not having sufficient knowledge about security policies, and 52% do not understand their specific role in response to a cyberattack.

Gaps in security best practices persist, with 42% of line of business respondents saying they store passwords in a document on a company PC or laptop. Roughly one-fifth still record credentials in paper notebooks or store them in filing cabinets. Nearly one-third still do not use a privileged account security solution to store and manage privileged and/or administrative passwords.

Trust in security is at the core of commercial relationships, with 44% saying potential partners assess their organization’s security before doing business with them. And 51% of organizations provide third-party vendors remote access to their networks. Of this group, 23% fail to monitor remote vendor activity.