Report: C-level execs knowingly take cybersecurity risks, “hope nothing happens”

CEOs and business leaders understand the importance of cybersecurity, but continue to engage in risky behaviour regardless, according to research by Code42.

The results of the report are compiled from a survey of 1,034 security and IT leaders, CSOs, CTOs, CISOs and CIOs, and 600 CEOs and business leaders, in the UK, US, and the DACH region.

Code42 summarised its key findings as:

  • Even the strongest data security policies and perimeters are no match for human emotion and behavior.
  • Without visibility to employee endpoints, IT can’t protect valuable company data. Yet, they’re expected to.
  • Despite the expense and effort of setting up security perimeters, CISOs and CEOs are planning for data breaches—stockpiling cryptocurrency and paying the ransom when they happen.
  • While companies know that prevention-only strategies don’t work anymore, most haven’t yet evolved to meet the new challenge.

One of the survey’s most interesting findings is that CEOs and business leaders certainly do seem to be aware of the risks. 78% of CEOs agree that intellectual property is the enterprise’s most important asset, and 56% say they expect their company to suffer a breach which will go public within the next 12 months. 60% say that either currently or in the past 12 months they have stockpiled cryptocurrency to pay off cybercriminals in case of a ransomware (and worryingly, 82% of those individuals said that they have made payments to cybercriminals).

But although 78% of CEOs agree that intellectual property is the enterprise’s most precious asset, 93% of them admit to keeping copies of their work on a personal device outside of official company storage. 72% admit to bringing ideas, information and resources with them to a new role when they leave the company.

It’s clear that even the best-intentioned data security policies are no match for human nature.

– Jadee Hanson, CISO, Code42

Code 42’s findings indicate this may be due to CEOs being more likely than other personnel to believe that work they do on behalf of the company is their own property. 50% said that they felt all their work and ideas belonged to them, while another 29% admitted that despite feeling this way, they understood that the work belonged “in part” to the company. It’s possible, depending on the nature of their contractual obligations, that some of the CEOs who responded this way may be be justified in thinking so.

But the problem goes deeper than CEOs and IP.

When asked what the biggest risk to the enterprise was, 78% of CISOs agreed that it was people insisting on doing jobs their own way rather than following rules or complying with policy. While that certainly seems to be borne out by the figures shown above, it’s also demonstrated by other concerning figures shown in the report.

For example, 63% of CEOs and 50% of other business leaders admitted to having clicked on a link that they thought they shouldn’t have, or that they didn’t mean to. Of these, 34% of the CEOs had to change their passwords, 25% lost control of accounts, and 25% paid ransomware.

More worrying yet, of the respondents who claimed to have clicked a link they shouldn’t have, 36% of business leaders and 14% of CEOs didn’t report the mistake to their security team, with the most common reason given being “it was something I could sort out myself”. (The next most popular reasons given were “I was afraid of the repercussions” and “I hoped nothing would happen” – both slightly worrying from C-level executives).

The survey also found that 59% of CEOs and 41% of business leaders had installed unapproved software – of these, 77% said that they did so despite knowing that IT sees this as a security risk. 36% of CEOs and 32% of business leaders say they do this because IT “doesn’t understand” what they need to get the job done.

It seems non-IT business leaders don’t understand what IT needs, either – specifically, visibility. Despite 80% of CISOs saying they can’t protect data they don’t have visibility on, a rather surprising 84% of business leaders think that they can. This perhaps reflects a slightly outdated view of cybersecurity, where a firewall could keep anything in or out – but as the traditional security perimeter becomes less and less relevant to the modern enterprise, visibility into where data is kept and where it’s going is crucial to protecting it.

“It’s clear that even the best-intentioned data security policies are no match for human nature,” said Jadee Hanson, CISO of Code42. “Understanding how emotional forces drive risky behavior is a step in the right direction, as is recognizing ‘disconnects’ within the organization that create data security vulnerabilities. In a threat landscape that is getting increasingly complex, prevention-only strategies are no longer enough.”

To end on a somewhat depressing, but very telling, figure: 72% of CISOs say they know employees regularly save their work on personal devices where it can’t be protected by company security, but that they feel “powerless” to stop it. When an overwhelming majority of CEOs and C-level business leaders are among the offenders – despite saying they take cybersecurity seriously – who can blame their CISOs for feeling that way?

Researcher, writer, recovering medievalist. Currently particularly interested in the cybersecurity solutions market, cyber insurance/risk modelling, and IoT security.

Related posts

Your thoughts