A new report by endpoint security firm, Code 42, has found that CXO leadership display a lack of understanding and attitude towards their own internal cyber security policies.

The 2018 Data Exposure Report is based on a survey that polled the topic of data loss and recovery across 1,034 security and IT leaders, CSOs, CTOs, CISOs and CIOs, as well as 600 CEOs and business leaders, all with budgetary decision-making power. The report uncovers a series of organisational disconnects that cause dangerous vulnerabilities in data security strategies.

Do What I Say, Not What I Do

According to Code42, 93 percent of CEOs responded saying that they keep a copy of their work on personal devices, outside of company servers or approved cloud applications, underscoring a lack of basic understanding of their own internal cyber security policies to protect enterprise sensitive information. Further numbers reflected in the report don’t paint a rosy picture for senior leadership attitudes.

Over 70 percent of CEOs admit to taking valuable intellectual property (IP) from a former employer

of CEOs admit to taking valuable intellectual property (IP) from a former employer 59 percent admit to downloading non-approved software on company devices without knowing their own corporate security policies

admit to downloading non-approved software on company devices without knowing their own corporate security policies 63 percent have clicked on links not knowing whether they were safe to do so

Code42 say the high numbers echo the sentiment of 78 percent of CISOs polled for the survey who state that the biggest risk to organisations is people trying to do their jobs the way they want with a disregard for rules.

However, the report also reflect on the need to educate and change human behaviour and attitudes towards data security as well as make internal cyber security policies more transparent.

Human Nature Versus Cyber Security

79 percent of CEOs and 65 percent of business leaders say that their work belongs to them, even though policies typically say otherwise which makes the CISO’s role significantly more challenging, even in organisations that have the best cyber security policies and tools in place.

Jadee Hanson, Code42’s own CISO, said “It’s clear that even the best-intentioned data security policies are no match for human nature.

“Understanding how emotional forces drive risky behaviour is a step in the right direction, as is recognising ‘disconnects’ within the organisation that create data security vulnerabilities. In a threat landscape that is getting increasingly complex, prevention-only strategies are no longer enough.”

And yet there’s still a disconnect between what the CEO perceives IT Security to be able to protect, and what the CISO can actually protect. 80 percent of CISOs surveyed said they cannot protect what they cannot see, but the corresponding amount of business leaders polled think the opposite – you can protect what you can’t see.

The Code42 report underlines the need for a realistic data security strategy which is transparent and understandable that not only addresses human behaviour, but also addresses critical issues around data protection, prevention of breaches and recovery procedures. The report also echoes the recent findings by cyber security firm, Curious Frank, that urged Scottish firms to pay attention to insider threats.

You can download a copy of the full report from the Code42 microsite.

Like this: Like Loading...