Two-thirds of corporate board members in 12 countries — including Canada — fear a cyberattack on their organization in the next year and almost half feel their organization is unprepared to cope with a targeted attack, new research indicates.
Moreover, Canada came last of those countries for the percentage of board members who agree that their organization has adequately invested in cybersecurity.
Meanwhile, only two-thirds of board members globally view human error as their biggest cybervulnerability, despite the World Economic Forum finding that this risk leads to 95% of all cybersecurity incidents.
The data comes from a new survey of board members into perceptions about their key challenges and risks. The research was done by Proofpoint Inc. and Cybersecurity at MIT Sloan. Researchers contacted directors in the U.S., Canada, the U.K., France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil, and Mexico.
Lucia Milic, Proofpoint’s vice-president and global resident chief information security officer (CISO), said the fact cybersecurity is on the table in boardrooms around the world is encouraging.
“However, our report shows that boards still have a long way to go in understanding the threat landscape and preparing their organizations for material cyberattacks,” she said. “One of the ways boards can boost preparedness is by getting on the same page with their CISOs. The board-CISO relationship is instrumental in protecting people and data, and each side must strive toward more effective communication and collaborative effort to ensure organizational success.”
The Cybersecurity: The 2020 Board Perspective Report released Oct. 4 showed Canada has one of the highest disparities of countries examined when it comes to the perception of risk by a CISO and their board — 76 per cent of CISOs seeing greater risk compared to 50 per cent of board members.
“That board members and CISOs are not on the same page when it comes to risk may not be surprising, but it is certainly very telling,” the report said. Most CISOs know too well the difficulties of obtaining buy-in for cybersecurity projects. This difference in perceived threat levels is a significant barrier to the united front that is essential for a successful cybersecurity defence.
However, the report stressed it was clear from results that boards do take cybersecurity seriously. Further, it said, there are commonalities in where directors see threats.
Surveyed board members rated email fraud and business email compromise as their top concern (41 per cent), followed by cloud account compromise (37 per cent) and ransomware (32 per cent).
Notably, board members and CISOs did diverge on one issue: insider threats were not a top concern for boards, but the No. 1 concern for CISOs.
In Canada, the top concern for board members are ransomware attacks, the survey found.
Globally, Canada ranks with the U.K., France and Singapore as having company directors who view the impact of a cyberattack on their organization’s reputation as the most pressing concern.
Still, the report suggests there may be a misplaced sense of confidence.
The survey found boards are likely focused primarily on protective measures, and not ready to respond properly in the event of an attack.
“They may even have deemed the cyberattacks as ‘cost of doing business,’ without fully understanding either the risk or the impact to the bottom line,” the report said.