Boards of companies are still not grasping the challenge of cyber threats in the light of the May 12 WannaCry ransome attack, which affected 150 countries in under 12 hours, says a report on the global cyber security landscape by Control Risks.
In its Cyber Security Landscape’ survey of IT and business decision makers, Control Risks found that senior management are risking their companies by not taking cyber security seriously.
The report specifically noted that a major fallout of the May 12 WannaCry ransom attack is boards’ ability to manage cyber security, that there appears a general lack of preparedness on the part of companies.
“This lack of preparedness is especially striking in the light of the 12th May WannaCry ransom attack, which affected 150 countries in under 12 hours,” it stated
To this end, the report urged board executives to take the issue seriously, that they should ensure cyber security becomes a regular item on the board’s agenda that includes reviewing the external cyber threat landscape in conjunction with IT.
The report also enjoined organisations to benefit from regular crisis management exercises that involve all relevant parties including the C-suite, IT, legal, communications and any other members of the crisis management team, which would ensure all parties understand their roles and responsibilities and the potential implications of a cyber attack.
“Although companies are now less concerned with merely complying with standards and are focussed on actually reducing the risk of a cyber attack, almost half (45%) agreed that assessing and managing these risks is their biggest challenge,” says the report.
Another key finding of the report showed that companies are struggling to adopt a risk-based approach.
“The misalignment between treating cyber security as a technological issue or a business risk is not new. Yet, the survey shows that this misalignment remains a considerable and on-going concern for many organisations,” says George Nicholls, Senior Partner based in Johannesburg at Control Risks.
He advised companies to always start with the threat.
“The way in which cyber threats are assessed and communicated throughout the business is key. This assessment should include the specific cyber threats to the organisation, how they could impact the business and what controls might mitigate them. After assessing the risks and understanding them, the organisation can then deal with these within its overall risk management strategy.”
The survey reveals that just over 31% of respondents reported they are very or extremely concerned their organisations will suffer a cyber-attack in the next year and a third (34%) say their organisations don’t have a cyber crisis management plan in place in the event of a breach.
By Business a.m. live staff