With high profile breach revelations seemingly part of the weekly news cycle and hard-hitting legislation like General Data Protection Regulation (GDPR) applying pressure to organizations worldwide, security awareness and best practices are now wound irretrievably into everyday commercial reality.
This, of course, is not news to IT security professionals, but what do C-level executives, departmental heads and functional leads make of security and how do they perceive its practice and importance?
The CyberArk Global Advanced Threat Landscape Report 2018 found that many organizations don’t seem to take data breach notification seriously. Half (50%) of the 1,300 plus respondents say their organization did not fully inform customers of past personal data compromises.
Organizations that are not fully transparent about data breaches affecting sensitive data risk serious consequences, such as loss of customers, executive turnover and increasingly severe regulatory penalties.
The ramifications are particularly significant for organizations that do business in the EU, where the GDPR data privacy law mandates pressing new obligations for data transparency.
The regulation, which goes into effect May 25, 2018, requires that companies must promptly inform regulators of a breach within 72 hours of discovery. Failure to do so could result in penalties of up to $24 million or 4% of annual global revenue, whichever is higher.
Is this a real problem or is the risk of a breach a low-level concern? Security professionals that answered our survey were not confident that a serious cyber security breach could be prevented; nearly half (46%) said their organization would not be able to stop every attempt to break into the internal network.
Consumers are increasingly aware of data privacy risks and organizations need to protect their sensitive information, so it is more important than ever to properly safeguard personal data and to be prepared to act, quickly and transparently, should a compromise occur. This is not a problem limited to the security team; it is a problem for the entire business.
With serious potential consequences, it’s not surprising that business respondents in our report believe that the executive team should take a more proactive role in cyber security awareness. In fact, more than three-quarters (78%) of line-of-business respondents say security should be discussed more frequently at the board level.
In this regard, business leaders are right on the mark. Senior executives must take responsibility and accountability for cyber security initiatives to effectively close the awareness gap and strengthen security programs.
To learn more about business leaders’ attitudes and practices around cyber security, read the CyberArk Global Advanced Threat Landscape 2018 Report.