Is your C-Suite risking your Company Data?

Your C-suite executives should be the ones who are most aware of and understand the risks of data exposure. They are ultimately the people responsible for the security of company data and must face the consequences of a data breach. Shareholders are putting their trust and faith in the C-Suite.

According to the 2018 Data Exposure Report commissioned by Code42, the answer is YES, they ARE.

This report was based on surveys of nearly 1700 business, IT and security leaders, and reveals some surprising insights, especially at C-Suite level.

It is surprising to note that many C-Suite executives don’t necessarily follow data security policies that have been put in place and that CEOs are amongst the worst at following the rules that they probably approved in the first place. The report finds that this behaviour is due to their belief that they own the work, they need convenient access or “that’s always how it used to be done”.

The report reveals that 78% of CEOs believe that intellectual property (IP) is the one of the most precious assets in their organization, but 93% admit to keeping copies on personal devices – outside the protection of organizational policies and safeguards.

In a recent press release, Code42 CISO, Jadee Hanson said:

“It’s clear that even the best-intentioned data security policies are no match for human nature. Understanding how emotional forces drive risky behaviour is a step in the right direction, as is recognizing ‘disconnects’ within the organization that create data security vulnerabilities. In a threat landscape that is getting increasingly complex, prevention-only strategies are no longer enough.”

The report also reveals that:

  • Over 60% of CEOs admit to clicking on links they should not have – potentially exposing the organization to attack by malware.
  • Just under 60% of CEOs admit to downloading software that may or may not be sanctioned by corporate security. Over 75% of business leaders believe their security department would view this as risky, but do it anyway.
  • Over 70% of CEOs admit to taking data with them from their previous employment.

A Chief Information Security Officer (CISO) has an increasingly more difficult job. This is due to lack of visibility into data storage, even though they may have good cyber security policies in place. With ongoing digital transformation and flexible working practices, many IT and security leaders believe that some data only exists on endpoint devices and that losing all corporate data stored on end-point devices would be seriously disruptive to business, or even fatal. While many CISOs believe that you can’t protect what you can’t see, many business leaders believe otherwise. This leads to a serious disconnect from reality. Despite this disconnect, the majority of CISOs and CEOs believe that there is a need for a multi-pronged security approach and that their companies need to improve their ability to recover from a data breach – to evolve from prevention only security to prevention and recover.

Rob Westervelt, research director at IDC is quoted as saying:

“The time has come for the enterprise to make itself resilient. IT, security and business leaders need to arm themselves with facts about how the emotional forces that drive employee work styles impact data security policy. To protect an enterprise today, security teams need to have visibility to where data lives and moves, and who has access to it. Visibility is key in protecting an organization against both internal and external threats.”

The report also highlights that almost two thirds of CISOs believe that their company will experience a data breach that will go public within 12 months. Two thirds also indicated that their company has already experienced a breach within the last 18 months.

This re-enforces the belief: “Not IF but WHEN”

The following two tabs change content below.

Andrew Smith

Andrew is a senior systems-engineer with over 20 years experience in corporate and small business environments. This includes consulting for large ICT service providers. He has supported systems at every level in the organization, including infrastructure, operating systems, applications, and perimeter protection. He also collaborates with software development teams on web, database, and infrastructure security. Andrew has co-founded multiple ICT businesses, where he advises on cybersecurity strategies and policies. Andrew has a 3-year National Diploma in Electronics (light current).

Latest posts by Andrew Smith (see all)