Barry Scott, CTO EMEA, Centrify
The high profile data breaches of the past year have demonstrated the deep and far-reaching impacts a lapse of security can have on a business. Yet the perceptions of senior executives are still not aligned when it comes to what constitutes a risk, and how to prevent it – and this is weakening cybersecurity postures.
CEOs wrongly believe that malware is the biggest threat to their organisation’s cybersecurity, perhaps due to the attention-grabbing headlines about major attacks. In a recent Dow Jones Customer Intelligence/Centrify survey, 62 percent of US and UK CEOs cited malware as the top risk faced by their organisation. The senior technical executives on the board, however, pointed to identity as the primary attack vector.
They are correct, of course: Verizon’s 2017 Data Breach Investigation Report found that 81 percent of breaches now involve weak, default or stolen passwords. It’s worrying that CEOs are so significantly underestimating the risk, with 43 percent perceiving compromised credentials as only a ‘minor threat’ or ‘not a threat at all’ to an organisation’s success. Almost half of those say it would take a major data breach to change their view.
As a result, organisations’ cybersecurity spend is being focused in the wrong areas: almost two thirds of CEOs say they invest the most in malware prevention. Identity-related attacks are way down the priority list, with prevention of privileged user attacks right at the bottom. This means that most companies’ security strategies and budget allocation do not correspond with the actual threats they face, which is leaving them wide open to breaches.
In addition to strategic decisions, misperceptions around risk and how to address it are affecting the understanding leaders have of how well protected their company is against threats – and this leads to misplaced confidence in their ability to prevent breaches. Whereas 79 percent of CTOs acknowledge that their organisation has experienced a data breach, only 55 percent of CEOs believe that the security of their business has been compromised.
When it comes to security tools and technologies, we see another disconnect between the views of CEOs and CTOs. Overall, CEOs believe that technologies such as multi-factor authentication (MFA) offer a poor user experience and are difficult to manage, while most technical officers – who are much closer to the frontline, and better informed about how such tools are evolving – disagree. This outdated perception held by CEOs is also likely to have a major influence on investment decisions.
To be able to effectively deploy resources and budgets, the entire C-suite needs to have a clear and accurate picture of the real cybersecurity risks their organisation faces – and this means listening more closely to their technical officers.
Leadership teams must recognise that identity is the greatest threat to business success, and target their security strategy accordingly. They need to shift their mindset away from the traditional model of relying on perimeters between ‘trusted’ corporate insiders and ‘untrusted’ outsiders, and move to a zero trust approach. This means verifying every user, validating their devices, limiting access and privilege, and using machine learning to improve the user experience by recognising and adapting to normal behaviour, while highlighting behaviour that needs to be addressed.
Technical leaders have a key role to play in actively influencing the perceptions of their peers. They should be ready to identify views that may be outdated or skewed, provide evidence to counter these – and make recommendations for the appropriate approaches to take to strengthen the cybersecurity posture.