March 22, 2018
For UK senior executives who admit their organisations have suffered at least one significant cybersecurity breach within the past two years, the associated costs of a breach are considered the most important consequence. This is according to a new study by Centrify, a leading provider of Zero Trust Security through the power of Next-Gen Access, commissioned through Dow Jones Customer Intelligence.
Nearly two-thirds (63 per cent) of respondents in the UK believe investigation, remediation and legal costs are the most important consequence of a breach, followed by disruption to operations (47 per cent) and loss of intellectual property (32 per cent). They showed less concern for impact on brand, including loss of customers (16 per cent) and damage to the company’s reputation (11 per cent).
The study of 800 senior level executives, including CEOs, Technical Officers and CFOs in the UK and US, also indicates that there is confusion among the C-suite about what constitutes a cybersecurity risk and what needs to be done to prevent it. In the UK, malware is seen as the biggest threat to an organisation’s success among 44 per cent of respondents, compared to just 24 per cent who point to default/weak or stolen passwords and 29 per cent who blame privileged user identity attacks. However, of those organisations that experienced at least one significant security breach in the past two years, just 11 per cent admit it was due to malware, while almost twice as many put it down to either a privileged user identity attack or the result of stolen or weak passwords (both 21 per cent).
In fact, 63 per cent of UK organisations that experienced a major breach admit that privileged identity and access management would have most likely prevented the breach. The Verizon 2017 Data Breach Investigation Report supports this, indicating that 81 per cent of breaches involve weak, default or stolen passwords. More than half (53 per cent) of respondents at breached organisations say audit trails for system accesses, and a quarter say training or awareness would most likely have stopped a breach.
According to the survey, the largest areas of cybersecurity investment over the next 12 months will be for malware (44 per cent) and phishing (38 per cent), while protection against stolen or weak passwords (33 per cent) and privileged user identity attacks (26 per cent) are investment priorities for fewer respondents.
Barry Scott, CTO EMEA at Centrify, explains: “It’s no surprise that the C-suite often points to malware as the biggest threat. Sensational headlines about major attacks could be to blame, which companies see and react to, often mistakenly, when in fact identity-related attacks – such as stolen or weak passwords, and attacks on privileged users within organisations – are the primary threat to cybersecurity today.
“What’s worrying is that they then look to invest money in protecting against malware, when in fact they should be focusing on the increase in identity-related attacks. Business leaders need to rethink their strategy with a Zero Trust Security approach that verifies every user and every device, and provides just enough access and privilege.”
CEO disconnect weakening security
A Centrify white paper accompanying the research points to a disconnect between CEOs and their technical peers (CTOs/CIOs/CISOs) in both countries when it comes to the most important cyber risks threatening an organisation, which could leave them vulnerable to breaches. View the study: https://www.centrify.com/resources/ceo-disconnect-weakening-cybersecurity/
Notes for editors:
Additional findings from the research:
- 62 per cent of all CEOs cite malware as the primary threat to cybersecurity, compared with only 35 per cent of Technical Officers.
- Only 8 per cent of all executives stated that anti-malware endpoint security would have prevented the “significant breaches with serious consequences” that they experienced.
- 68 per cent of all executives whose companies experienced significant breaches indicate it would most likely have been prevented by either privileged user identity and access management or user identity assurance.
- Three quarters (74 per cent) of UK respondents that experienced at least one breach say they are ‘very confident’ they could prevent a similar beach, compared to 58 percent in the US.
- While just 11 per cent of UK respondents believe damage to their company’s reputation is the most important consequence of a breach, nearly half (44 per cent) say that protecting brand reputation is most important for building a business case for spending more on cybersecurity.
The statistics cited in this report are from a survey of 800 senior executives conducted in November 2017 by Dow Jones Customer Intelligence (a unit of The Wall Street Journal/Dow Jones Advertising Department), with sponsorship from Centrify. More than three-quarters of these executives are CEOs, CFOs or technical officers (including CIOs, CTOs and CISOs) and the remainder are their direct reports. The companies represented have at least 1,500 employees and over half have more than 10,000 employees. They are positioned across 19 industries in the US and the UK, and about half report annual revenues exceeding US$5 billion.
Centrify delivers Zero Trust Security through the power of Next-Gen Access. The Centrify Zero Trust Security model assumes that users inside a network are no more trustworthy than those outside the network. Centrify verifies every user, their devices, and limits access and privilege. Centrify also utilises machine learning to discover risky user behavior and apply conditional access — without impacting user experience. Centrify’s Next-Gen Access is the only industry-recognised solution that uniquely converges Identity-as-a Service (IDaaS), enterprise mobility management (EMM) and privileged access management (PAM). Over 5,000 worldwide organisations, including over half the Fortune 100, trust Centrify to proactively secure their businesses.
About Dow Jones Customer Intelligence
As part of the Dow Jones Customer Engine, the Dow Jones Customer Intelligence Unit conducts both bespoke and secondary research on behalf of our brands and our client’s brands; and through rigorous analysis and our unique perspectives seek to be a trusted source for relevant, timely, and reliable insights.